SmartFlow Compliance Solutions: Taking the offensive on Software Piracy

This week Synopsys announced “unauthorized third-party access to Synopsys EDA, IP and optical products and product license files through its customer-facing license and product delivery system. The unauthorized access, which began in July 2015, was discovered by Synopsys in October 2015.”

The fact that the company needs to make this announcement is indicative of a new attitude towards an old problem: Software companies who lose their products to theft and piracy no longer want to just buck up and get past it, particularly in EDA. Instead, they want tools and strategies to go after their adversaries. The newly launched startup SmartFlow Compliance Solutions, just announced last week, is planning to offer such tools.

Launched by Ted Miracco – one of the founders of EDA vendor AWR Corp. – SmartFlow is based on his experience dealing with pirated AWR product software, including tracking down and forcing restitution from companies who were proven culpable. In a phone call last week discussing his new company, Miracco said pirated software is more than just an occasional nuisance, it’s resulting in billions of dollars in lost revenue to the companies whose products are being used without licenses.

More profound than lost profits, however, is the ’tilting’ of the playing field. When companies who use pirated software to design chips or systems are able to undercut their competition by underpaying for the tools they need, or by not paying at all, the competition is hobbled.

In response, SmartFlow has engineered a complex set of tools and protocols that will allow companies to unearth pirated instantiations of their software across a variety of customer profiles. To begin their effort to build those tools, Miracco and his team looked closely at software non-compliance around the globe, parsed the different types of pirates and examined their principal strategies.

“There are four categories of offenders in the area of non-compliant or pirated software,” he explained.

“First are the anarchists, hard-core pirates who believe software should be free – everything should be free. They include students, the unemployed, or those who evade the authorities through the ‘darknet.’ They do not serve as a good revenue-recovery target for SmartFlow or our customers, however the other [categories of pirates] can be converted to good customers.

“Type two are called ‘soft pirates.’ Users can find free or low-cost versions of any software quite easily online. If you simply Google the name of a piece of software along with the word ‘crack,’ you can find free or low-cost versions available on dodgy websites.

“These websites redistribute cracked software using credit cards for payment. People who buy it online usually suspect it’s not legitimate, but they rationalize buying it anyway and quickly choose to forget where they got it from, or consider it an evaluation. These versions are dangerous as they are illegal, and are sometimes infected with malware or spyware on top of the copyright violations.

“The third type of pirate is a ‘victim’ – similar to the soft pirate, but the victim truly did not realize the software was counterfeit. Sometimes these users are simply not aware of who installed the software, or are not familiar with terms of the license agreement. This happens if the software is pre-installed or purchased by a dishonest distributor or re-seller.

“The fourth category of pirate user is what we call the ‘rogue companies.’ Many of these companies are based in Asia, the Middle East and Eastern Europe, but they can also include Western startup companies. In all cases, these are companies where the management team is complicit in the crime, with a deliberate, premeditated policy to utilize counterfeit software as a competitive advantage in the market.

“Many Chinese companies operate this way as their standard way of doing business – this is factually evident as the piracy rate in China today is in excess of 90 percent. Chinese piracy is prevalent in small, medium and large commercial companies that routinely export consumer electronic products to the United States and Europe.

“’Rouge companies’ also include the many government research laboratories and defense contractors involved in military programs that may be subject to export restrictions. These export restrictions apply to many defense firms operating in Russia, China, India, Pakistan and Iran, among others, where piracy is their way of bypassing the restrictions.”

The piracy landscape as laid out by Miracco was so comprehensive and dreary, I asked if there are any legitimate customers anywhere.

He answered, laughing, “This is why we got so serious about pirated software at AWR. It was obvious that legitimate companies were underwriting all of the R&D costs for the others – the legitimate piece of the customer pie was getting smaller and the illegitimate piece was growing.

“In addition, the rise in Asia-based software piracy has meant that legitimate customers, for example Lucent, Nortel and Motorola, were unable to compete, and either shrank or disappeared completely as EDA customers. They could not compete on price with foreign competitors who were not paying for the same EDA tools, and this resulted in both job losses and lost revenues.

“In all cases, owners of intellectual property have a legal, ethical and fiduciary responsibility to their shareholders, customers and employees to take action on these matters. It is no longer acceptable to tolerate piracy when there are known, effective means to address it.

“We take this situation very seriously at SmartFlow and we know the problem extends beyond just software companies.

“There was a recent judgment in a Louisiana lawsuit, for instance, where Mercedes Benz sued an auto-parts company there that sold more than $17 million dollars of stolen Mercedes Benz diagnostic software to independent repair shops, so they could bypass the Mercedes Benz dealer network. Mercedes succeeded in shutting the auto-parts company down and protecting their dealers, because dealers make their money on servicing more than on the initial sale of the car.”

If this situation with pirated software is so dire, I asked Miracco why software providers don’t solve their problems internally. Why don’t they put tracking devices into their products to prevent illegitimate use?

He said, “The answer is quite straightforward. Companies feel that having an industry-standard supplier of software ‘armor’ is preferable to having their own internal, proprietary solution. Customers prefer commonality, the idea of having an outsourced security firm seems beneficial.

“An independent supplier who is thinking about security issues 24×7 is more likely to keep up with the hackers. For best practices in security, there is always safety in numbers.

“The EDA Consortium certainly sees it that way and knows the stakes are very serious, and SmartFlow agrees with that. The real concern in EDA is that more and more of the IP being developed in Asia is being done with illegal software. The situation has been reduced to an arms race between those wanting to protect IP and those who want to undermine those protections.

“Ten to fifteen years ago, many believed China would go legitimate with respect to their software once they had the money to do so, however that did not happen.

“Despite decades of double-digit growth, rising salaries, and a transition away from just manufacturing, there is a stubborn reluctance to pay for software. For example, Microsoft’s revenues in China are less than their sales in the Netherlands, while China has over 650 million users on the Internet.

“Look at EDA. The compliance teams at Cadence, Synopsys and Mentor have limited resources, so there is a need for industry standard players in the market to create sensible solutions for them and other EDA vendors.

“Companies like SafeNet and Flexera can provide the license management, so very few EDA and IP companies build their own license management schemes. SmartFlow fits that model, is both complementary and compatible with the leading license-management systems, and provides a safeguard if these security features are circumvented.”

Miracco said his own experience in EDA confirmed this point of view: “We only built our own security system, because at that time no one else was doing it. We were the pioneers in the field more than 12 years ago when the build-versus-buy decision was not possible, because at that time there were no vendors to meet the need.

“There are a couple of commercial companies in this space today, but we will be providing far more capability because of our domain-specific knowledge. We’ve become the compliance experts, with numerous trade-secrets, by virtue of working on this for more than a decade.

“From the interaction we have had with our early customers, it is obvious we know a lot more about because of working with a diversity of companies in a many different niches. Any individual in any of our customers’ organizations would have more limited access than we do to what is taking place across the broader software market.

“In my early years at AWR, we were asked: Are people stealing your software and how much so? We never had an answer, but we could always find black market copies, so we knew there was a real problem – particularly in the global market.

“We eventually put in a feature to check for the latest version of our software, and could then see from our support database that 50 percent of the serial numbers in use were bogus. In Russia and Eastern Europe, it was worse – up to 90 percent – while in China, a full 99 percent of the users were using unlicensed or cracked copies.

“That was our situation in 2002, but from that point on we started to develop a process for identifying those companies who were infringing on our software.

“At AWR, we also worked closely with a company called ITCA, founded by Chris Luijten, to help us with our revenue recovery opportunities and this worked out really well for both organizations. ITCA had developed a highly advanced cloud-based system for managing compliance cases and we were impressed with the technology.

“Then in 2011, AWR was sold to National Instruments. After working through the transition and integration with NI, I was interested in being an entrepreneur again and felt this piracy problem demanded more attention.

“In 2014, Chris and I founded SmartFlow Compliance Solutions with a mission to develop technology to help all software companies fight piracy and protect their intellectual property. Together, we saw that there was a big opportunity to provide this capability not only to other EDA companies, but to all companies with valuable software IP.

“We’ve been operating in a stealth mode since 2014, but we are now announcing broader availability of the SmartFlow SDK and case-management solution. Our timing is good, because the problem has only gotten worse since my early experience in EDA, and is particularly exacerbated in Asia right now.”

I asked what exactly SmartFlow Compliance Solutions is offering.

Miracco said to understand that, it is necessary to explain the ways that software can be pirated – a particularly useful discussion, given the ‘break-in’ at Synopsys.

“There are three main techniques for pirating software,” he said. “Anytime a new piece of software is released, the pirate population will try one or more of these techniques.

“First, is to use a key generator, which basically gives you a key to get into all the features of the software.

“The second is using binary patches to essentially bypass the license manager. That strategy rips the locks right off those door handles put in place to protect the software.

“The third technique is more sophisticated, where the pirating company buys legal licenses to the software. Once they have a license file to use on a particular machine, they make cloned copies of that machine and use multiple copies of the software on each machine using the legal key.

“This strategy is tougher to detect, since it’s not explicitly about using broken licenses. But our tools can detect and counteract these strategies, and others approaches as well.”

Miracco laid out the SmartFlow protocol: “First, we detect if the software has been tampered with.

“Second, we have a data acquisition piece to deliver – who, what, where and how often the software is being pirated. We process that forensic information, match it to companies, and quantize the value of piracy infringements. We then mine that data and put together a comprehensive history, based on which we are able send out cease and desist letters on the behalf of our customers.

“We also provide dashboards, charts and comprehensive reports that can be used by our customers at boards of directors meetings to show how management is successfully tamping down on piracy.

“With all of this, we have had a very good track record of success to date,” he said.

I asked Miracco if SmartFlow is naming any of their early customer successes.

“We don’t display our customer list for obvious reasons,” he answered, “but we have customers that are generating more than 10 percent in incremental revenues by converting pirating companies into paying customers. Most of our clients see a return on their investment in SmartFlow within 6 months of deployment.”

Miracco ended our conversation on an emphatic note: “The basis of what we’re providing as a company is not just security, but a ramp-up in revenues and, more importantly, a growing realization on the part of our customers that a software company does not need to just sit by and accept piracy as cost of doing business!”

****************

Tags: AWR Corp., Cadence, Chris Luijten, EDA Consortium, Flexera, ITCA, L:ucent, Mentor Graphics, Mercedes Benz, Microsoft, Motorola, National Instruments, Nortel, SafeNet, SmartFlow Compliance Solutions, Software Piracy, Synopsys, Ted Miracco

This entry was posted on Wednesday, November 18th, 2015 at 8:43 pm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.