Stopping the Flagrant Piracy of Mint

Let’s have this out in the open: Mint is being pirated. Which puts myself—and all of Mint’s paying customers—in a difficult position.

Mint’s source code is provided to every licensed user for many reasons. One is to simplify installation. Most commercial PHP software require a third-party decoder module be installed on the server in order to run the encoded source. In my experience, these decoders never work as advertised—if a host even has them installed.

Another reason is, should I disappear off the face of the earth tomorrow and new bugs are discovered the following day, the software isn’t a closed box. Each license holder can modify Mint for their own use within the terms of the EULA.

This openness adds value to the software. Unfortunately, it also allows the less scrupulous among us to pirate the software. But I knew this going in—I even made remarks in the source code, “By changing these bits, you’re not being clever—you’re being a crook.” Or something to that effect.

Paying customers may be asking, “How does this affect me? I paid. I already have your software. It doesn’t concern me.” More and more asshats are showing up on the Mint Forum or emailing me directly requesting support for cracked versions of Mint. One person even purchased a license only after he couldn’t get the pirated version working. Some may argue, “a sale is a sale,” but I have no interest in that kind of “oops, you caught me” customer. Every hour that I am forced to waste confirming licenses and sending emails to thieves and their hosts takes away from the development of Mint and providing support to existing customers; activities licensed users directly or indirectly benefit from.

There’s really two problems that need to be addressed here: how to stop the piracy and how to to reduce the time involved in identifying and addressing those already pirating Mint.

I can’t out the pirates. That would be like saying, “Just ask this person if you don’t want to pay for Mint.” I refuse to close the source. The price is not up for debate.

Just being able to easily identify unlicensed uses of Mint would solve part of the second problem and could act as a significant deterrent for the first (since offenders would be far less likely to get away with it).

What’s a developer to do? Here’s an idea: a Firefox extension that silently checks for a Mint installation on each site visited and if found, sends a ping to a central server. The server could then validate the domain against a list of licensed domains and flag any offenders. The extension would not reveal the outcome or require any input from the browser user. The ping would be anonymous and only fire when a Mint installation was found (and not every page visited). Even if only 3% of Mint’s current user-base chose to participate in this “Neighborhood Watch” it would create a pretty significant canvas. With an incentive—pseudo-live visit counts in your toolbar anyone?—I could see the uptake being significantly higher.

So that’s one idea, does anyone have any others?

Previous
Unfortunately Shaun
Next
“Hooray for your lovely big screen!”
Author
Shaun Inman
Posted
February 3rd, 2006 at 1:47 pm
Categories
PHP
Personal
Mint
Web
Comments
084 (Now closed)

084 Comments

001

You could always pull back on the support. Your efforts on the forum go above and beyond the call of duty. The fact that Mint is open allows developers to support themselves and each other. If supporting pirates is preventing you from adding new features and optimizations, then I say support less.

Author
Brandon
Posted
Feb 3rd, 2006 9:11 am
002

I should clarify, it’s not a question of supporting pirates, they receive no support.

Author
Shaun Inman
Posted
Feb 3rd, 2006 9:14 am
003

I think you’re wise to look towards the community for help. A firefox extention could be a good way to go, or even if there was a simple bookmarklet you could make that said “Verify site lisence” that returned a page that said, yep - verified, or nope - not verified.

I for one, would have no problem installing the extention, and I think it would be well recieved.

Author
Kyle
Posted
Feb 3rd, 2006 9:28 am
004

A firefox extension is a great idea… in adidtion to that I think a hall of shame list is in order… something similar to the password list you find at DefCon (or so i’m told). A little peer pressure might go a long way.

Even if it takes you a few moments to validate the presense of a pirated version before adding it to the hall of shame; it might be less work overall for you

Author
Jehiah
Posted
Feb 3rd, 2006 9:31 am
005

The idea of a Firefox extension sounds great :-)

Author
Remi Prevost
Posted
Feb 3rd, 2006 9:33 am
006

Shaun, I was going over a dilemma like this in my head a few weeks back, and here’s my two cents:

Make registration happen on your end. Use AJAX to send a unique identifier for each URL/Owner/Whatever to your server or whatever, and then have it do the verification on that end. Maybe do this every single time somebody loads up Mint on their server.

Another way to keep the source a bit more secretive is to use Zend optimizer or an obfuscation device. I believe that Expression Engine uses Zend for compression and secrecy, so maybe give that a shot man.

Author
Mike Rundle
Posted
Feb 3rd, 2006 9:35 am
007

One more thing about Brandon’s comment. I don’t consider my efforts on the forum are above the call of duty. If someone can’t get Mint installed then what are they getting for their $30?

Thanks Kyle, I considered the favelet idea but don’t like how it requires direct interaction. In order to be truly useful it should be seamless.

The extension shouldn’t reveal the verdict to the browser user—that would be the same thing as publicly calling out the pirate—a big neon sign flashing “get yer Mint here!”

Author
Shaun Inman
Posted
Feb 3rd, 2006 9:36 am
008

This is a tough situation, I love Mint and would support an extension to help with this problem. I don’t have any additional ideas right now, but will think about this more.

Author
Scott Orchard
Posted
Feb 3rd, 2006 9:38 am
009

While I would not have a problem using that kind of extension I do think it would be more valuable to develop an extension that could do the same service for a number of web sites. I don’t want to to install a additional extension for every small company that wants to install a neighborhood watch on my browser.

is there anyway this could be a grease monkey extension? That would probably integrate better then an additional extension to bloat up my FireFox.

Author
Stefan Hayden
Posted
Feb 3rd, 2006 9:39 am
010

Shoot, I’d do it. I’d even help you sort through the list and nail the thieves.

Author
Jeremy Boles
Posted
Feb 3rd, 2006 9:39 am
011

I haven’t installed mint and have little knowledge of the inner workings (some day when I have a more complete site I’ll be buying a copy).

However, I thought that if you have a controlled database of liscenced users and modify mint to only work by checking with that database….that may solve the issue?

It’s an interesting problem at the very least. My sympathies go out to Shaun for having to deal with such a headache. One would think that for what you are getting the price is well worth it.

Author
Landon Durnan
Posted
Feb 3rd, 2006 9:41 am
012

The problem with any activation techniques in open source is that validation always comes down to a simple true or false conditional that can be easily replaced. (You would not believe some of the complex hacks I’ve seen to get Mint to work, these people really aren’t clever.)

Author
Shaun Inman
Posted
Feb 3rd, 2006 9:44 am
013

Pretty interesting question. I’ve been thinking about this too for a soon-to-be-relased I plan to release in a way that is similar to Mint. Piracy is one thing I’ve wondered about since I intend to share the source code with my customers too.

The FireFox extension idea isn’t a bad one, but I’d bet pirates would easily find ways to hide the fact that they are using Mint (by changing cookie names for example). Keeping it working could become a hide and seek game that wouldn’t save you any time. That’s just a possibility.

Maybe instead you should find a way in the forum to show directly if someone is licensed or not. Going a little further you could block non-consumers from starting topics in certain parts of the forums. Of course, as you say, this is “publicly calling out the pirate.”

Author
Michel Fortin
Posted
Feb 3rd, 2006 9:49 am
014

Shaun, I think your Firefox extension idea is a really good one. I think the best way to fight piracy by publicly identifying them. Your extension should post the domain to a public list of suspected pirates, or at least queue them up for you to go through them. Now the hard part is trying to convince the community to install the extension but I’ll leave that up to you.

Author
Chase
Posted
Feb 3rd, 2006 9:57 am
015

A silent ff extension makes sense. I would definitely participate.

When it comes to pirating open source, I think you’re exactly right. Anything you do in code to prevent piracy is inherently insecure. While not terribly practical, the only solution is to put it out there and sniff out the offenders after the fact.

The only problem I see with a ff extension is the hit-and-miss nature. I doubt much of the community is going to be able to land on a large enough group of offenders. I would hope one could find a bigger net.

If only a major search engine (with an API) had the ability to search the source of a page. Then you wouldn’t need to rely on the community to install something third party. There’s you’re bigger net.

Author
Lance E. Leonard
Posted
Feb 3rd, 2006 9:58 am
016

Is it possible to encode only a portion of the application?

I’m not an application developer, so I really don’t know, but if you could close the source on the parts being hacked it would go a long way, I think.

Author
Tim Murtaugh
Posted
Feb 3rd, 2006 9:59 am
017

If you could get a firefox extension to work like that, I’d happily install it. I also agree with the user above me. Maybe if you prevented nonlicensed users from posting in every forum that would solve half of the problem. I understand taht you would stll want to find the pirates too but thats a good short term. Maybe have a “Pre-sales” forum for everyone to post in and then general support for licensed users.

Author
DJ LoBraico
Posted
Feb 3rd, 2006 10:01 am
018

What I like about the extension idea is that it doesn’t have to rely on superficial identifiers for Mint like cookies or directory names. It could have direct access to the JavaScript object and functions that actual initiate the recording of a hit. Changing the signature of that object too much would require greater changes in Mint’s other source code than it would be worth.

I’ll have to look into this but couldn’t this extension also query my server to get the most up to date tests for known cracks? That would make it fairly easy to stay on top of the hide and seek game. Also I could encode the checks in the extension—leaving them open doesn’t provide any additional value to the end-user.

The problem with partial encoding is the point where the encoded and open interact. The validation routine ultimately has to report to other parts of the code.

Author
Shaun Inman
Posted
Feb 3rd, 2006 10:11 am
019

Shaun, I would use your proposed Firefox extension, but wouldn’t it be easier if you had a hybrid version of Mint that incorporated a hosted component that required some form of validation?

Author
Colin
Posted
Feb 3rd, 2006 10:11 am
020

If you tied access to the support forum, and access to the support email contact form, to a user’s haveamint.com login/password, then you should be able to keep pirates out. (The fact this goes on makes me laugh. I wonder how many people call Adobe when they can’t pirate Photoshop!) I think this is the best way you can go about tackling the major negative effect pirates have on you, namely sucking up your time on support ‘calls’ they don’t deserve. I am guessing that most people who are pirating Mint wouldn’t buy it if they couldn’t pirate it. You aren’t really losing revenue when your work is being used in this way, assuming you don’t have to waste your time dealing with the pirates.

As for protecting the program itself, I think this is a futile effort. Crackers break some seriously complicated security schemes in programs where the source code is closed. Trying to protect a product like Mint where the internals of the program are visible to all is going to be next to impossible, I suspect. Moreso, I think it is a waste of effort you could direct to more useful purposes, like bug fixes and improvements to the program.

And I think I may be in the minority here, but I think firefox extensions and the like are also probably not going to do much good as well. I have no doubt people would get around any scheme you put in place. At some point it becomes an arms race between you and the crackers. (Though your program is niche enough that I suspect each pirate is cracking the program on his own.) Also, it is pretty unlikely you will catch many pirates in this way. And if you do, what exactly would you do? Can you use the data you collect to demand payment, or punitive damages, or some other form of reimbursement. Again I think this isn’t as simple as it looks on the surface.

I agree it sucks that there are people who aren’t compensating you for your work, but I think it’s something you have to come to terms with.

Author
ramanan
Posted
Feb 3rd, 2006 10:14 am
021

Man, some people are asshats.
I’d be more than willing to install an extension or whatever that’d help weed out pirates.
I’d imagine that encoding a portion of the app would guard against the lazier pirates but then it’s just a case of finding the encoded part and ripping it out.
What if the validation routine was done on your server? Obfuscate the call to this validation script; and have that script return authorization variables known only to you? Im no php magician so I don’t know if it’d work or not but that was my original thought. Means you could embarrass pirates on their own sites too - a ‘buy mint’ ad banner or something ;)

Good luck with this Shaun - Mint is the shiznik!

Author
Rob Wilmshurst
Posted
Feb 3rd, 2006 10:18 am
022

You could encrypt some of the core logic using private and public keys issued when you buy a copy and use eval() to run it after decryption.

I’ve used base64_encode() to obfuscate the code, and it works perfectly. Obviously not good enough to stop experienced programmers.

My 2 cents.

Author
Michael Simmons
Posted
Feb 3rd, 2006 10:20 am
023

I’m not sure I really want to get involved with a hosted option. That would be a whole lot of data traveling down my pipes. Think about Google with all their resources and the limitations they’ve had to put on Analytics. Setting a limited number of users for a free service is reasonable. That doesn’t work as a business plan though.

Besides, I wouldn’t use a hosted service for stats so I woudn’t really want to be selling one.

Ramanan, you’re definitely right about it being an arms race. Unfortunately, each pirate is not cracking Mint on their own. There have been widely distributed versions of a handful of releases. Being able to neutralize those widely-distributed cracks would have a measurable affect on the crap I have to deal with. That said, I am working on an update to haveamint.com with tighter account/support integration to insulate myself and other active Forum members from the asshats.

That data collected can, at the very least, be used to contact the offenders’ hosts and have the application removed from the server.

Author
Shaun Inman
Posted
Feb 3rd, 2006 10:27 am
024

I think it’s pretty sad people are pirating a piece of $30 software. Piracy is wrong but we’re not exactly talking about the Adobe Creative Suite here. I think instead of figuring out ways to circumvent pirates, the root of the cause needs to examining.

Why are folks pirating? Is $30 per domain too much? If you have a few domains you need to monitor, that can add up quick imo. I wouldn’t mind paying $99 for unlimited licenses. It is “open source” after all.

Mint thrives on its Peppers. Why not modify the forum as closed to the public, except for registered/validated users?

Author
Dave
Posted
Feb 3rd, 2006 10:31 am
025

I didn’t read all the discussion, but for the favelet, it can be easy to launch it on every page using Firefox extension (and even Safari’s PithHelmet).

A dedicated Ff extension would be nice, but few of us are under Macs, and fewer are browsing with Safari. But it’s still licensed users willing to help you in this effort. Then, consider us :)

Author
Jérôme Verzier
Posted
Feb 3rd, 2006 10:39 am
026

Dave, I think someone who doesn’t want to pay $30 dollars for Mint probably doesn’t want to pay $5 for Mint either. Though I have done any serious market research on the matter.

I think you are quite right about Peppers though. I think if the distribution of Peppers was also more closely tied into the haveamint.com website, that would also be a big plus.

Author
ramanan
Posted
Feb 3rd, 2006 10:42 am
027

Also, Shaun, you could always seed trojan copies of Mint into the wild. Though that would be evil — albeit satisfying — I am guessing.

Author
ramanan
Posted
Feb 3rd, 2006 10:45 am
028

Haha, instead of installing Mint it uninstalls blogging app tables? That’s too cruel. Maybe instead it just adds “I tried pirating Mint and it left a bad taste in my blog” to the beginning of every post. :)

Author
Shaun Inman
Posted
Feb 3rd, 2006 10:51 am
029

Well assuming they install things properly you know their database, username, and password. I would think that “drop $database;” would be the simplest SQL call you can make.

Author
ramanan
Posted
Feb 3rd, 2006 11:00 am
030

This is an interesting problem. I do like the idea of a Firefox extension. Perhaps a little mint icon with the option to display your stats next to it. And instead of highlighting the pirates highlight when mint is simply discovered.

It’s a shame people have to pirate Mint. Compared to all the extremely expensive stats applications the price is not a roadblock. It’s totally ridiculous.

Author
jacob harvey
Posted
Feb 3rd, 2006 11:06 am
031

I like Ramanan’s idea. ;-)

Author
Jonathan
Posted
Feb 3rd, 2006 11:10 am
032

Hi Shaun

Although I don’t use Mint, it looks great.

Many developers are in a similar situation to yourself. There is no easy answer.

My suggestion is to provide your (legit) userbase with usr/pass info to access the support material (incl. discussion forum).

Changing the code will only up the bar a wee bit and soon hacked versions will be floating around P2P.

Concentrate on marketing and making clients very happy. Put a note in the code about how much development time has gone into Mint, and how painless it is to pay, and in being honest, this contributes to the future development of the product they are using.

I would suggest against doing a Sony, to any degree.

Hope it all goes well …

Author
rob
Posted
Feb 3rd, 2006 11:25 am
033

“Haha, instead of installing Mint it uninstalls blogging app tables? That’s too cruel. Maybe instead it just adds “I tried pirating Mint and it left a bad taste in my blog” to the beginning of every post. :)”

I love that. I dont use Mint yet but if you make a firefox extension i well for sure install it on several machines to help track down. I hate priates wether from the past or present the just suck.

Author
Ryan Crisman
Posted
Feb 3rd, 2006 11:26 am
034

I would support your idea for the FF extension,but would support having the extension show the result so that one might choose to post “hey you thief!” in their blog’s comments.

Mostly, I have to agree with others that the forums access should be tied to the support - this is how Trillian does it. The other thing you could do is offer a free version that cannot use peppers along with hobbling it in some other way, so that people can effectively try and buy. In my opinion, the peppers are one of the most attractive features of mint. I always try to go for free software options, but Mint has got to be one of the best pieces of software I’ve seen in a while so I paid up right away. Having peppers then tied to this Members-Only support forum, encourage people to upload peppers to your central area so that only paying people can get them would also help. You were already thinking of doing this, so it all ties together.

One other idea… When one goes to site.com/mint, you currently see a login page. It would be easy to include code that displays an image pointing to shauninman.com that is generated by a cgi at the site. You wouldn’t have to login to see it - anyone could see it - and the image would only show for valid versions of mint. Following the link would take you shauninman.com where it could be further verified.

Author
Ernie Oporto
Posted
Feb 3rd, 2006 11:38 am
035

You create the extension - and I’ll damn well use it. I’m sick of hearing people whine about the cost of Mint. For f-sake, there are a huge number of free stat packages out there if you can’t afford to pay for Mint. This idea that you can just go ahead and crack someone else’s work because you feel “entitled” is wearing damn thin.

Author
BigA
Posted
Feb 3rd, 2006 11:51 am
036

I’d support an extension, but isn’t there a way to write a little piece of code in php that phones home once (or once and on upgrades)?

Author
Lisa
Posted
Feb 3rd, 2006 12:03 pm
037

Lisa, if someone audits the code, they can just remove the call home code and that would be that.

Author
ramanan
Posted
Feb 3rd, 2006 12:07 pm
038

Regarding the support issue, locking the forum down to only members (except for a small should I buy Mint section) would work well. Also removing the contact form and placing it within the account interface might also help. You could still leave a before I buy contact form on the public part of the site, just have it get flagged a certain way in your email. That way if you got an email that wasn’t purchase related you could delete it without suffering a guilty conscience.

Regarding the actual piracy of Mint, I really think there is a little you can do. A Firefox extension could help solve this problem, and if you were really evil you could have a secret delete function built into Mint, that if the Firefox extension found the Mint key invalid, it would activate the delete function within Mint.

When it comes to Peppers being only available on the site, I have a feeling that won’t work. From what I’ve seen with Trillian, there are hackers that download all the plugins from Trillian’s site, and then RAR-em-up, so the pirates never have to get the plugins themselves.

Author
cavemonkey50
Posted
Feb 3rd, 2006 12:09 pm
039

I agree with Rob about locking down the forum. Maybe even allow the public to view it (in case potential users are researching) but not post.

The extension idea is great because it allows you to hide the method of your checks and like you mentioned, even update it in the case of people evenutally figuring out a bypass.

Because the extension would only require communication to your server in the event of a pirated copy being detected, it would be relatively light-weight.

As a fan your site and your design work (esp. your Harry and the Potters shirt) I would certainly install such an extension despite the fact that I am not a mint user myself. I think this is a very creative use of an increasingly social internet community. Instead of organizing a PriceRitePhoto attack this is the equivalent of notifying the authorities. I say go for it.

Author
Marke
Posted
Feb 3rd, 2006 12:19 pm
040

As suggested by others, try what Trillian and X-Cart do: restrict access to the forums, Peppers, and download area to those with a registered username and password. Then even if someone manages to get a copy they will have a difficult time upgrading or adding any Peppers or even installing for that matter.

The crippled “Free” version is another interesting option and of course, simply stating on the stats page that you are a human being that has to pay the bills may go a surprisingly long way. You can have a “validation” option that removes that nag perhaps…

Good luck !

Author
Shimone
Posted
Feb 3rd, 2006 12:20 pm
041

This may not help with the actual pirating, but for the tracking down if they are legit or not part… vBulletin has some extra fields in the user profile of their forums where people have to put in their membership number and something else before getting any “official” support.

Maybe you can have a field that is “registered mint domain” or whatever unique identifiers you have available so you can easily check your list, or even have it automatically checked.

Unless they have that field filled in, you say no support till you do.

This would be an alternative to locking down the viewing of the forum, it would just lock down the requests by un-validated people.

Author
Aaron Barker
Posted
Feb 3rd, 2006 12:52 pm
042

The FireFox extension sounds like a great idea.

Other than that, all I can think of is hosting on your server a validation script and a bit of code necessary for Mint to run that is called from the Mint installations. If it doesn’t validate, they don’t get the code and they can’t run.

Though again, it would take your bandwidth…but would it take much more than having your server constantly hammered by the proposed FireFox extension?

Author
Elliot Swan
Posted
Feb 3rd, 2006 12:53 pm
043

Well the extension idea seems fine with me. And i’m sure you already log the “pings” you use to check for upgrades on each install.

but to weed out people messaging you adn the forums you couls always tie in the account emails to the forums and chnage URL to mint install URL on http://haveamint.com/contact

Also if you wanted (since pirates wouldent expect this) I could have my current and future peppers have a call home script to YOU, i already have mine call back to me (optionally), but i could make yours a little less optional and run it when the pepper is installed

Author
Mike Valstar
Posted
Feb 3rd, 2006 1:00 pm
044

I’m not sure how everybody else goes about choosing what app they’ll use for a specific purpose, but I always try to go into the support forums (which are usually open to the public) to attempt to gauge the community around the application, issues people are having (are there a lot of “XYZ stopped working!” type messages), etc. before deciding to purchase/install. While I definitely see the point to trying to avoid supporting pirated versions (proof of registered copy linked to forum login info before S.I. bothers to help out?), locking out the public from forum access does have a downside.

It might not outweigh the upside though in this instance - just thought I’d throw out an opposing viewpoint.

Author
Jacob Reiff
Posted
Feb 3rd, 2006 1:13 pm
045

Whatever you decide, I am in. Tell me what I need to do/install.

Author
Ryan McAllen
Posted
Feb 3rd, 2006 1:24 pm
046

You contribute so much to the design community it is sad to think people would take advantage. I don’t use mint, but I would love a coldFusion version of it.

Author
George M.
Posted
Feb 3rd, 2006 1:40 pm
047

I too would be willing to use an FF extention if it helped weed out the pirates. The $30 is well worth it and it won’t exactly break your bank account :-)

All of the proposed ideas have upsides and downsides, but that’s inevitable. There isn’t one perfect solution, otherwise everyone would be using it!

Out of them all I would rate the FF extention as the most suitable and then the call-home script.

Author
Keith MLaughlin
Posted
Feb 3rd, 2006 1:49 pm
048

I don’t know if this has been said yet, but it really looks to me like you are not willing to give on anything. Instead of finding ways to reduce piracy, by lowering the cost, or adding benefit to non-pirates somehow, you are looking to do what Microsoft does, by trying to increase security.

You said it yourself that you can’t really stop the pirates out there. Your idea for a Firefox extension will only work until the pirates make enough changes that your new fancy extension that you took so long to write does not work.

While you may think that changing the signiture of Mint might take more time than its worth, you did say so yourself that people would not believe the complex hacks people have done to get the software to work. I would not be surprised if a few coders took the time to almost rewrite Mint so they could use it without showing up on your radar.

In my opinion, if you want to stop piracy, you have to either take extreme measures, or give in a little so that its not worth their while. $30 is not much, but if you get some kid coder worth $10 an hour takes a stab at it, and it takes him 2 hours to get Mint working without registration or activation or whatever, then he saved himself $10 and learned a thing or two about how Mint works.

Good luck though with whatever you do. Thanks to Peppers, Mint can be really great software.

Author
Brandon
Posted
Feb 3rd, 2006 1:58 pm
049

######Jeniah said: A firefox extension is a great idea… in adidtion to that I think a hall of shame list is in order… something similar to the password list you find at DefCon (or so i’m told). A little peer pressure might go a long way.

That’s the wall of sheep, it’s a bit different than what Shaun’s plans. Basically, the Defcon organisators (and various Random J. Hackers, it’s a hackers convention after all) track the wireless communications made via Defcon’s hotspots, and any communication that uses unencrypted user/pass gets displayed on the Wall, username in plain text, the first 3 letters of the password and the domain accessed in plain text (either the IP or the resolved domain name).

Tom’s Hardware once had a video of Defcon 12’s Wall of Sheep, I don’t know if you can still find it there, but it’d be worth checking.

And in the current case, this could generate a case of “mob justice”, which is never a good thing to do.

######Shaun said: The extension shouldn’t reveal the verdict to the browser user—that would be the same thing as publicly calling out the pirate—a big neon sign flashing “get yer Mint here!”

Well, if the user wants to know and unless you manage to encrypt the communication somehow (with an asymetric crypto), the user of the extension will always be able to sniff the communications between the extension and you. Soo, if you go the extension path the extension will more than likely reveal the verdict to some smartypants users, who may — or may not — disclose the “rogue sites”. That said and even though i’m not a mint user I would install it.

The best idea at first would probably be to lock most of the forum (including everything about the peppers) for buyers only. Segregate between a public zone where new users and maybe-buyers could come and ask questions about Mint, and a support/peppers/community part which would require the users to be authentified and official (paid) Mint users.

Author
Masklinn
Posted
Feb 3rd, 2006 2:23 pm
050

Im sorry, but Brandon above is missing the point. The solution to piracy is not to give away the product. Shaun has a right to expect payment for his product, and he deserves it. He doesnt need to lower the price, OR increase benefits to those who steal.

You dont go and beg the bank robbers not to rob you.

Anyways, my suggestion is to close the forums down to only paid members (perhaps make their email address their username, or generate one for them.) X-cart does this, and I think it helps.

While a FF extension would be cool, how would one identify a FF installation, especially if they put it in a folder with a different, or random name? Even if you generated a key that had to be on the mint/?js string (like so /mint/?js&k=sxWYxC48 or whatever), it would be equally easy to hack the source for requiring it.

I would NOT close the source, but right now, there are only a few options you have:

  1. Close the forums to paid members only.
  2. Offer some reason why to pay (value adds that encourage wanting to pay, rather than just stealing (perhaps making peppers free to create, but they can only be distributed through the members section, or through you?))
  3. Host the service yourself ala Basecamp, Sidejobtrack, et al.

Anyways, that’s just my opinion :)

Author
Nate Cavanaugh
Posted
Feb 3rd, 2006 2:34 pm
051

I hate to be the devil’s advocate here, but a Firefox extension would just require crackers to go about things slightly differently. Say, for example, you changed the path that you installed Mint to, changed the extension that triggers the JS, and then changed the prefix of the cookies (to something innocuous like, say __utm). How would you then detect Mint?

Also, aren’t Firefox extensions are XUL and Javascript, and are therefore similarly open source? Correct? Then it’d be easy to make sure to modify your cracked Mint to avoid detection.

Open source software and and paid licensing are not easy bedfellows (see SCO, rampant piracy of Movable Type, etc). The only model I’ve seen work is this: provide the source for free, provide support or a hosted solution for a fee.

Also, people successfully licensing open source software seem to jump at deals with large clients going after a volume license. That doesn’t seem to be the case with Mint.

Author
Jesse
Posted
Feb 3rd, 2006 2:38 pm
052

I think spending too much time fighting piracy is a wasted effort.

While I totally support what you are doing, I feel you will not only spend more resources on a battle than you would gain from possible purchases, but you would create a them v. us attitude.

Very few companies will use pirated software for a payed project. And you know, Karma will get ‘em or something. I feel that a large part of your piracy will come from small personal sites, who prefer your product to an open source alternative, but they’re not going to pay for anything as they’re not willing/able to put that sort of money into a personal project like this. It’s even marketing to get your system used on personal sites so that when it comes round to business, they pay for what they’re comfortable with. I learnt how to web design with pirated software, heck, even with some of my very early toy sites I would have used a pirated mint so I could play around with it. But now I’m running a business and being payed for sites, I would pay instantly. Expectations are higher, I have money and I can support small developers.

I would be scared and uninterested in a company going on witch hunts for pirated software.

Member only forum posting seems sensible, but don’t hide them away. keep what information is posted open.

Disclaimer: I do not own or use a pirated version of mint, but am currently neither a owner of a authentic mint. I am an interested possible consumer for when I need this service.

Author
James Darling
Posted
Feb 3rd, 2006 2:43 pm
053

I know that as a Pepper developer, I see a lot of referrals from Mint installations. Perhaps some of the developers could host some part of a security mechanism that recognizes these mint installations and checks the domain against your database. This would probably route out some of those evil-doers.

I’d be happy to add some javascript or PHP to my site for this purpose. I certainly would rather be helping people with Fresh View problems if they were legit users.

Author
Kyle Rove
Posted
Feb 3rd, 2006 2:45 pm
054

Once you’ve collected the details of pirates, you will presumably have to do something with them. Naming and shaming is one solution. Here is another, slightly controversial one that occurs to me:

Did you ever read that article about how Starbucks sell a shitty, small - but cheap - coffee, but you’ll never find it on any menus? How you have to request it specifically and how they will be very hush-hush about serving it to you?

The fundamental economics, of course, is getting each customer to pay the most they are prepared to pay. (I can’t remember what it’s called.)

In this case, the pirates clearly view $30 as too much to pay. You can’t lower the price for everyone, or that’s revenue lost. But you could offer the pirates a copy of Mint at a reduced cost (and possibly with reduced support commitments) and that way you don’t take the same revenue hit.

Maybe you could offer it as a “buy it for $15 or go on the public naming-and-shaming list”. It’s kinda controversial - it’s either smart economics, or blackmail, depending on your ethical outlook. I’m not sure where I stand, but it seemed like an interesting idea. What do others think?

Author
Giles
Posted
Feb 3rd, 2006 3:42 pm
055

I like the firefox extension idea. I don’t use Mint but you have a unique and loyal user base. That’s your advantage. Heck, I’m willing to install the extension if it would help and I think it would. It’s a matter of principle and it sounds like many people are willing to back you up on that. Correct me if I’m wrong but it sounds like you’ve already made up your mind. Just do it, and I don’t stand alone when I say we’ll support you! This is a product that merits such a response. Let me know when it’s available.

Author
Dan Gonzalez
Posted
Feb 3rd, 2006 3:52 pm
056

I have to be honest about this, I’m not always opposed to piracy. If you’re in a position where you would never buy a piece of software because of your perceived value in the product or because you just can’t afford it then really, who looses out. Please don’t bother trying to start a piracy arguement with me because I won’t enter into one.

Mint is very inexpensive so I can’t think of any way that you could possibly justify pirating it. And even if you think that you can justify such actions there’s still the matter of respect. Shaun Inman really deserves the respect that you pay for Mint in order to use it, he’s not some big evil company, he’s one of us.

Long story short, don’t use Mint if you’re not going to pay for it!

Author
Keri Henare
Posted
Feb 3rd, 2006 4:18 pm
057

What about a system like TypeKey? Or actually using Typekey as your authenticator like Drop Cash does?

Author
blurb
Posted
Feb 3rd, 2006 6:07 pm
058

Crazy idea, and I will admit that I have not read the entire list of comments so I appologize if somebody has already suggested this.

Could the reports not be hosted from the haveamint.com site? Use JSON to transport data from the local install of mint to the haveamint.com site where the report is generated. In this case the local install of mint has no reporting options, it rather just collects the data and stores it in a local mysql database.

Mint rocks!

Author
Jim Rutherford
Posted
Feb 3rd, 2006 7:19 pm
059

I feel your pain. I’m the author of FileChucker, a webapp that does file-uploading with a progress bar and then has a browser-based file-manager to manage the uploaded files.

It started out as just a simple uploader with progress bar, sort of an AJAX proof-of-concept, and I gave it away for free. But it got a lot of interest and people started asking for new features, and I started putting lots of time into it.

So I started to charge a license fee for commercial users only. This worked fairly well, and it seemed that the people who wanted it for their commercial sites were all more than willing to pay for it. But then I started seeing hits in my logs from FileChucker installations that were clearly on commercial sites, from users who hadn’t paid.

So my current solution is to charge a very small license fee for personal use, rather than giving it away, and still charge the much-higher commercial fee for non-personal use. I still get some people buying the personal license and then putting it on a commercial site, but 1) I can often head that off at the pass, because their payment will come from “SomeCompany” rather than “John Doe,” and 2) I’ve been doing what’s been mentioned here already: refusing to support those users until they buy the proper license.

The other thing is that I still have a “trial” version freely available: identical to the full version except after accepting an upload it writes an empty file instead of the actual contents. So people who want to try it before paying can test out 100% of the functionality (uploader, progress bar, file manager, etc).

But of course that kind of thing isn’t always possible; it was a fairly obvious idea for FileChucker, but what about Mint? Maybe only logging/displaying stats for every-other-hour of the day or something crazy like that? Only display stats for today, or this week, etc? Or since Mint is so darn nice looking, maybe pull out all the styling for the trial version?

Author
Anthony DiSante
Posted
Feb 3rd, 2006 8:39 pm
060

As I wrote in the blog entry you’ve already read: I don’t think you should ‘accept’ piracy. The issue is: There’s no point in actively fighting it. It’s a battle you’ll never win. Every hour of coding spent on whatever protection scheme you may come up with would be much better spent on improving Mint itself and / or providing support to the community of paying customers. No matter what you come up with, the kids will have cracked it within days, if not hours. Probably in less time than you spent creating it.

Like many people have already indicated: Just make sure you won’t waste time on supporting pirated copies by requiring people to enter a valid license key on the forum. You could probably program such a forum extension in hours. Like this you won’t waste time on freeloaders anymore.

Author
Marco
Posted
Feb 3rd, 2006 11:01 pm
061

Shaun, the best thing you can do is use these encoders, but only for the install script. I suggest you take a survey and asks all Mint users whether their web host offers Zend or Ioncube and make both versions available, just like Modernbill does.

Although you don’t want to use it, I’m afraid that’s the only solution.

Author
Prashant
Posted
Feb 4th, 2006 12:14 am
062

While I would support it, I feel a Firefox extension would only be a short-term solution.

Restricting forum access to paying customers sounds like a smart move. Mint is an attractive enough product that I doubt there would be a downside to this. Meagrely knowing there is a forum available is a bonus (regardless of its activity, or community size).

That, and all the hype regarding Mint, and the development of Peppers… need I say more?

As far as long-term solutions go, are you prepared to spend so much time fighting pirates, that you end up with something that could easily become a completely seperate application? One that focuses entirely on pirate detection and disarmement? It sounds like a cool product, and probably something more than just one company would be interested in… but, is it something you’re interested in?

I feel for you. I really didn’t expect piracy to be an issue for Mint. $30 per site is very reasonable, in my opinion.

Author
Adam Schilling
Posted
Feb 4th, 2006 1:22 am
063

I’m not really a PHP developer, (Java, natch), and neither have I seen the source of Mint, but I don’t think it’s possible to include in an Open Source app a boolean test for validity, as has been said.

Maybe you could use a closed source front controller that verifies itself at startup, or periodically.

How many legitimate reasons are there to hack the code base?

Maybe you can offer two versions of Mint, a developer version that permits code modification, and a normal version that has all the API access, but doesn’t permit mods. (Use an MD5 or encrypted signature of the source to test for mods.)

Or how about making a free version available that only handles a maximum volume of traffic analysis? Surely most of the pirate installs are being used on low volume sites?

Author
Pid
Posted
Feb 4th, 2006 1:26 am
064

I don’t use Mint and I probably never will (mostly because I don’t run a site :), but I would definitely run an extension like this if it would help you catch the bad guys.

Author
Brutal
Posted
Feb 4th, 2006 4:05 am
065

You could make an open source limited developer version and a closed source full version like mentioned above. But it would then only be a matter of time before that is hacked as well. This is a large problem for the software industry that no one has really seemed to solve yet. If there was a 100% effective solution, companies like M$ and Adobe would already be using it. Maybe thats why companies like google and gate want to host everyones stuff, then they can control what happens with their programs.

The best offerings I have seen here so far are in terms of support forums. Making it available only to those who have paid. Your demo is awesome enough for people to see how the program works, I don’t know why they would need to troll the forums first.

Like Joel on Software said about the openess of the code for his product FogBugz, there is nothing in these kinds of apps that is so mind blowing that it has to be kept hush hush like a coca cola trade secret. People that are going to steal will steal, customers that are loyal will be loyal. Just talk to the customers.

If you do come up with a way to secure your software, you should kill Mint and just sell your solution, it will be way more profitable. ;)

Author
bucky
Posted
Feb 4th, 2006 4:57 am
066

Here’s another idea I thought of. Since most likely Mint is getting out by a select few users who “crack” the code, then make it widely available, is there a way that you could figure out which user is responsible for the leak? When it comes to fighting piracy, it’s always good to stop it at the source.

Author
cavemonkey50
Posted
Feb 4th, 2006 7:23 am
067

Google etc. won’t let you search through the html source. But perhaps you can use the Amazon Web Information Service?

Author
jan
Posted
Feb 4th, 2006 9:31 am
068

I think that asking the community for help is a good idea. Those who have paid for Mint, love it, and will gladly help you. Unfortunately, those who do not want to pay for Mint will probably unrentlessly try to find a way around paying for it. This may be a good temporary solution, but I’m afraid that piraters will find a way around it.

Author
Stacy
Posted
Feb 4th, 2006 9:37 am
069

I haven’t bought mint — I’m not using it (though I still have shortstat going), so my opinion maybe a little off here — but I have done marketing for larger software companies and I have to say, as many people have said, there’s always a crowd that will look for a free way out, and you can’t stop that. However, maybe that’s a good time to take a look at your expense and licensing.

I think it’s quality software, but in my opinion I think it should not be as expensive as Panic’s Transmit, or SuperDuper (to give some examples of software I’ve grown to love)… while I’ve always been a strong supporter of small developers, not if I feel it’s overpriced. I personally have 20 websites lying around, and I host another 15+ for clients — I’m not paying $1050 to track it’s statistics. Now, that’s high, but even for one site $30 for javascript fed statistics seems questionable.

The point is, from what I’ve seen of larger businesses, the question is where is profitability loss? If $30 per license gives you a 50/50 pirate to legal ratio, what would $20 do for you? Would that open up a new market?

Maybe you need to offer a lower end version, with less features for a much smaller fee — target different finacial brackets so that you appease each of your market group. High end license for a single server? Lite version with addons for $5?

What about referral programs? Purchase addons? Have people sell addons? Promote developers who use it with their business?

You’re never going to stop it, but you can embrace it, make money off it in some ways, and lower the loss by evaluating why you’re losing people’s support.

Not least of which to say — you make an app that phones home from my server, and I wouldn’t touch it with a ten foot pole.

That’s just my 2 cents, not meant to intrude, but how I look at it. People will always steal — but going down the path of DRM isn’t going to ease it — make it easier and cheaper for your clients to spend money (cough, iTunes) and watch your business grow.

Author
Brady J. Frey
Posted
Feb 4th, 2006 10:33 am
070

What about marketing to webhosts. Package your product to be a licenced commercial product that could replace webtrends or anything of the like. If you cover the market like that then what incentive would people have to steal it in the first place? Your product is superior, so you could make quite a profit with all the commmercial licensing. Just a thought.

Author
George M.
Posted
Feb 4th, 2006 10:41 am
071

Someone may already have mentioned this, I only read half of the comments. But is there a way where you could put an important peice of code on your site (or alternate server) that Mint relies on in order to lanuch Mint and view results, but not necessarily to log user info (so if the server is down, your site still works without lag). Perhaps, the code on your server is the code for prefs, or for display of the modules that show logged info. It’s essential code, not so essential that users couldn’t develop pepper… but still essential enough to view the stats.

I haven’t purchased Mint for my site yet, but I have for a client’s site. It’s pretty awesome. Yet, even though I have the source, I wouldn’t pirate the software. It goes against my value of integrity. If you can’t afford $30, you’re really a schlub.

Unfortunately as it seems though, someone will always find a way…

Author
Scottrageous
Posted
Feb 4th, 2006 11:01 am
072

Shaun,

I don’t use Mint but I’m fan of your work and follow it actively. Perhaps you can use some form of an API key through Pepper to ping one of your servers for a registered license check?

But then again, with the source - couldn’t someone simply put a big If statement around your authorization code? Hmm…

I’ve seen a lot of HTML and JavaScript solutions (for things like Menus) take all of the empty space and return characters out of code so that, while it’s possible to hack the code, you wouldn’t necessarily want to read and reverse-engineer the authorization part of some 20page chunk of code that is machine readable, but a REAL eyesore. This isn’t code scrambling, but increasing the deterring hackability difficulty.

Email me and I may be able to find some links that would be more helpful!

Author
Emile
Posted
Feb 4th, 2006 1:22 pm
073

Hey. A few issues.

I’ve had to deal with a lot of this stuff in the past (with NewsMontser my last commercial client-side app). So just for the record I am a commercial software developer and have had to deal with this.

  1. Factor in that 5-10% of your users will be pirates. Don’t worry about this.. you can’t control it. Only worry about it when it gets out of hand. Remember that just because thhey’re pirates doesn’t meant they’re evil. Some people literally can’t affford $30 … It’s a big red flag though.

  2. Can you add an auto-update feature and other functionality that silently phones home?. Granted this could be disabled but odds are that people will forget about this once Mint is up and running.

  3. Can you reverse the problem ? I don’t want to host my own mint. I’d SERIOUSLY pay you to process the logs for me. I could FTP you my logs and you build the stats. This way you’d have more customers and wouldn’t have to worry about piracy. I’ve been meaning to ping you about this actually… I’d give you $30 right now if I could do this.

Author
Kevin Burton
Posted
Feb 4th, 2006 1:53 pm
074

I’m planning on buying Mint in the next month or so. From my perspective the price seems totally reasonable, it’s not like it’s per month and Mint is a polished product. Personally I’d completely support closing the forums or most of them and Pepper to the public. There is no real downside as long as there is at least one public forum where it would be clear if there was widespread unhappiness from paying users.

Author
Alex
Posted
Feb 4th, 2006 2:03 pm
075

You make a Safari version of your anti-mint piracy and I’ll install it. I’m very happy with my mint (will be even happier when Safari SVG support matures in the nightly builds).

Author
Matthew Brown
Posted
Feb 4th, 2006 2:39 pm
076

I don’t know if you’re reading this far down the page, Shaun. You clearly understand that trying to lock down or obfuscate Mint is pretty pointless.

The Firefox extension isn’t a bad idea, but I’d never use it (nott that I use Firefox). Despite the enthusiasm here, it is an extra hassle that most Mint customers won’t bother with.

Since you can’t make bits un-copyable, software-as-a-product has to compete with free through support and features. Having awesome peppers, the Dashboard widget, etc. available for paying users only is one way. Restricting the support and pepper forums to paying users is another.

Ultimately, trying to gather all these things from other sources becomes more work than just paying the $30. :)

The harsh reality is that you have to earn your customers’ money. Give them compelling reasons to get Mint straight from the official source.

Author
Paul D
Posted
Feb 4th, 2006 6:12 pm
077

I would totally run a Firefox extension to help. thumbs up

Author
Mr. J.
Posted
Feb 4th, 2006 9:23 pm
078

I guess the only proper solution you could do is host the code your self, but then you would be having a whole different service. Start a list in your forum where people can dob others in for piracy.

Author
Fabian
Posted
Feb 4th, 2006 10:25 pm
079

Shaun, Mint is a great application. After much research and deliberation, I chose Mint because you have an intuitive understanding how to make site stats accessible, immediate and useful.

The value that Mint has added to my own business far outways the $30 spent. I agree with Kyle’s opening remarks about looking “towards the community for help”.

I am unable to contribute to most of the technical comments already submitted. However I will support you the only way I can right now.

By buying another site license, for a sub-domain, instead of asking for help through the Mint forum.

Don’t stop doing what you do because of the few - keep doing what makes Mint (and you) great.

Don’t let the bastards get you down!

Author
eventfinder
Posted
Feb 4th, 2006 11:14 pm
080

Well, not sure what I intended to write here, but I gotta throw in my two cents. I’m not entirely sure, but I believe I may be the one mentioned above - I had mint bought for me day before yesterday. I, personally, find two possible reasons for ‘pirating’ mint - the aforementioned ‘try before you buy’ point first. I have used statcounter.com for a long time, then suddenly my site took off and they told me they would have to drop me because I was getting too many hits for their free system. So, I go looking for a free service that offered a higher roof on it’s free service - and couldn’t find one. I can’t recall why I didn’t consider a locally hosted solution at the time, I guess it merely failed to come to mind - anyway, as if by magic, the perfect solution floated to the top at the source - mint. I have no compulsions about paying 30$ for software this awesome for a personal website nor a professional one, but the website I was intending to use this for and that statcounter.com dropped me for was split into many many small parts, each with it’s own domain (not subdomain, full domain). I was not about to pay something in excess of 1000 dollars for this software, no matter how awesome it is. Shaun, I don’t know your take on this, but I suggest you put SOME SORT of free trial, or reduced no-pay version up for people - a demo on somebody else’s site is all good and well, but there is nothing for creating a warm feeling in your heart (and making you love and buy this software) like watching the live action on your site in the mint window. Second, 30$ for every DOMAIN is too much - there should be some sort of version for mass-users, perhaps for people with more than 5 domains in a single site or something. I don’t know, but I would be more than willing to pay 100$ or so if I could install a copy on each site in the network, because for now I am restricted to tracking a single section of the entire network (yes, I ended up buying mint - of course I had to have it - I think mint would be a good nickname for a drug, certainly addictive, you know, ice, slab, mint, ectera). Don’t know what else to say, other than I wish there was a way I could track my site with your software, but there isn’t legally. Right now I am creeping along with one installation at the central site and an installation of Level 10 Hit Counter for every other site (L10HC just can’t compare, and I hate flash on principle).

Author
The 'Culprit'
Posted
Feb 5th, 2006 12:02 am
081

Find a nice deal with some web hostign company and start offering Mint as a service (instead of a downloable webware). Let customers download only local PHP stuff, but the GUI and stuff should not be downloadble rather than hosted on your service site. Use XMLRPC or SOAP to do the communication between local PHP stuff, and the GUI. You will have the same functionality, but without the need to download your software. Instead oit licenses you will just handle the accoutns of your customers. You can always depetepurgebandeactivate bad accoutns (just like adult entertainment sites do when they found accounts for their sites posted on FREE-PASSWORDS sites). I saw that other people suggest teh same and it really seems very reasoble.

Author
Kaloyan
Posted
Feb 5th, 2006 12:08 am
082

I thought I would add my bit here being a developer myself as well as the owner of a copy of Mint (and just about to buy a second license to show my support).

There is no full way to protect yourself from piracy - there will always be those who go to the extreme to get something if they really want it. What we can do is slow them down, make it as much of a “pain in the ass” as possible for them to get their hands on things.

A hosted solution is not what people are after. What happens if Shaun disappears? The load becomes too much to support on his servers? The server goes down and I need to produce statistics for a client? A hosted solution would turn too many people away. Yes, even if you were just hosting the reporting tools, or the interface.

Closing the support forums to unlicensed members and only offering a “Pre-sales” forum to those who aren’t identified as licensed Mint users is a good idea - one I’d recommend you get done as soon as possible.

Back on the actual code for a minute, yes, encrypting the code is a bad move because of requirements for decoders (some of which do not work on the latest versions of PHP), as well as closing the source for others developing Peppers (who may want to have a look at how something works) or modifying the source for personal use.

What i’m also suggesting, in terms of slowing pirates down with Mint, is mainly for Pepper developers. Develop a SOAP (or similar) API which Pepper developers can make requests to from their site to the haveamint.com server to validate a user’s credentials before letting them download a Pepper (of course, this would be no problem with an official site for Peppers). If security is a concern, then don’t use an API, get the site to send the user to a page on haveamint.com explaining that they’ll be allowing website xyz to validate the users mint license before downloading a plugin. Then, on the mint server set a session cookie for the domain the user is requesting access to, redirect them back there with that and then the site can validate a plain session id against the Mint server - revealing no personal information.

Just something which could also help slow people down - as i’m sure Pepper developers do not like seeing their Pepper being used on pirated copies of Mint.

Author
Chris Boulton
Posted
Feb 5th, 2006 2:38 am
083

This is a good idea. The way where other people steel your product can’t be accepted. If you do a good job you should be able to get money for it!

Author
chris
Posted
Feb 5th, 2006 2:56 am
084

I’m going to chime in again …

I haven’t bought Mint yet, but I’ve been giving it some serious thought over the past week. From this position, I’m quite concerned by the number of cries for “shut the forums down!”

I find it a far more effective sales-pitch to be able to go and browse your forums and see the huge size of community, than anything you could ever put up on as a tour. Knowing there are a lot of people helping out with support questions and writing new Peppers is a really big sell for me, and one that I wouldn’t get were the forums closed to outsiders.

Of course, that doesn’t preclude you from stopping newbies posting, but, assuming I’m not alone, I don’t think it would be beneficial to your business to stop newbies browsing too.

Author
Giles
Posted
Feb 5th, 2006 4:45 am