ESD Alliance And SEMI Efforts To Combat Design Automation Software Piracy

Piracy is a growing concern for all software providers, especially those of us with complex and specialized software, such as chip design automation software that is expensive to develop and maintain.

That’s why the Electronic System Design Alliance (ESD Alliance), a SEMI Technology Community, spearheaded an industry joint development effort to develop a server certification protocol that would close a loophole often exploited in software piracy schemes. Cadence Design Systems, Siemens EDA and Synopsys were members of the industry-standard SEMI Server Certification Protocol (SSCP) joint development committee. SSCP is applicable to protecting any high-value software product(s) that use license management systems to control access to and use of software licenses. It is now available for licensing from SEMI.

One of many SSCP supporters is Ted Miracco, a founder and executive vice president of AWR Corporation, now part of Cadence, and someone at the forefront of combatting software piracy.

In the Q&A interview below, Bob Smith, executive director of the ESD Alliance, and Ted talk about AWR’s software piracy problem and the challenges confronting software piracy and license compliance. Once Cadence acquired AWR, Ted spun out the software piracy group and formed Cylynt with the mission to develop technology to combat software piracy and intellectual property theft. He’s now CEO of Approov, developer of mobile app security, a company that started as EDA software provider CriticalBlue.

Smith: How did you determine the size and scope of AWR’s pirated software problem?

Miracco: We discussed with our board members the problem we had with software piracy. The board asked us about the size of the problem, but we didn’t have data. It was a big problem because we found both online and illegal DVD copies that were copies of our latest software versions that could be distributed and installed without a license.

Smith: What did you do?

Miracco: Because every security license management solution was broken and continually cracked, we had to develop our own solution in the form of phone home technology that would detect and report back. This was all pre-GDPR and CCPA and gave us our first indication as to how big the problem was. It was more of a check for update features, because we were also updating the software over the Internet. Once we started checking, we would look at the software serial number to see if it was eligible for an update and on a support contract. We noticed a huge percentage of the pings to our server were from serial numbers that were not genuinely licensed.

Smith: How bad was the pirated software problem?

Miracco: A board member asked us the percentage. We said it was 60%. More than half of our users were using illegal copies, so we were only getting paid on the 40% paying customers and we were able to quantify it into the vast amount of losses we were having. It varied by country and geography. China and Russia were the highest where the piracy rate was 99% and 98% respectively. Even the U.S. was quite high at around 17% or 18% of the users.

Smith: What kind of plan did you put in place?

Miracco: Once we had some telemetry data, we couldn’t tell who was using the software and needed to figure out if we could identify who was using it. IP addresses were useful. In some instances, we looked at the serial number and the IP address. If it was registered to a certain company that was either not licensing the software or had taken place in an evaluation, we could then send a cease-and-desist letter to them or request that they place a purchase order.

Customers became more and more sophisticated at trying to evade that technology. It became a bit of an arms race in terms of developing more and more sophisticated telemetry data to identify users and connect the dots between the person using the infringing software, the company that owned it and what they were doing with it. We turned to our legal experts and ended up filing lawsuits.

That led to sending letters. In some cases, we didn’t receive a favorable response. We did in places like Japan. If we sent a letter to Japan advising of illegal use, customers were quick to apologize and remedy the situation by placing orders for the licenses they needed. Other countries would ignore the letters. In those instances, we had to file a lawsuit against the company that was infringing and that can be a time-consuming and expensive process.

Ultimately, we were questioned about both the legitimacy and the legality of the data collection. Our IT stood up to the legal process and we were awarded summary judgements.

China was particularly challenging. In many cases, we received no response. We were able to file cases and receive judgments against Chinese companies. Even if the infringements were in China, we could enforce our copyright. It typically resulted in the purchase of licenses, and long-term customer relationships.

Smith: What was the outcome?

Miracco: It was an effective program and helped us to reverse what was a trend toward more and more software piracy. The amount of piracy reported via the phone home telemetry we were collecting dropped from over 60% to less than 40% – a significant improvement.

Smith: What does the landscape look like now?

Miracco: While we made progress, pirated software users became more sophisticated. They figured out ways to work offline, copy legal licenses and duplicate servers.

Tamper detection and phone home technology isn’t as relevant today as it was in 2014 when we were using it in a powerful way. Users wised up to the fact that companies are using phone home, and if you’re using a tampered copy, you’re going to get caught. They rarely do it that way today. Now it’s all done by piracy websites where you can download applications, install them and run them without a license. It’s a quick and dirty method of going to a piracy site and downloading a copy where the security module is broken.

You don’t need to be any more sophisticated than that. Software pirates don’t want to get caught. They need to do the minimum necessary to get access to expensive design tools without triggering any alarms. If they can, they run a license on identical hardware. If it appears to be identical to the license manager, then they have everything they need to run it. And because they have a valid license agreement with the supplier, they’ll have access to technical support and be a supported client customer, even though they’re not paying fair market value for what they’re using.

It’s always a game of cat and mouse and the level of sophistication grows on both sides. More sophisticated piracy users are either air gapping their computers so that they cannot phone home or they figure out other means of using legal licenses, cleverly architecting subnets to clone the hardware and servers and use identical legal copies. Essentially duplicating them within their computing environment so that they can buy a limited number of licenses but use cloned hardware to create more instances of it.

Smith: You are a great supporter of the SEMI Server Certification Protocol.

Miracco: SEMI’s secure server authentication process is something I strongly encourage companies to use, because of the way that people pirate software has changed. Technology needs to evolve, and this is a powerful new technology for protecting software intellectual property.

Note: SEMI is licensing the SEMI Server Certification Protocol (SSCP). For more information about the protocol, including licensing, send email to: [email protected].