My first experiences with “nulled” (or back in the day “cracked”) software date back to the golden days of the Atari 8-bit and Commodore Amiga. Blank floppy disks were cheap, and like most kids, I did not have a lot of money or even at times access to legitimate software distributors. Naturally, the way we got it was through writing our own — and illicit copying from friends and user group meetups, downloads from BBSes. Once I even visited the motherlode for “warez” — cheap knockoff cloned software and even hardware! — in Hong Kong’s Golden Shopping Arcade in the mid-1980s.
In my defense, we were kids, everyone was doing it, we didn’t have money — and there weren’t any viruses yet. We thought software should be free — if not free as in beer, free as in “do whatever you want with it.” Fortunately, the ability to pay for software arrived at about the same time as serious malware.
Over at the Freemius blog, Scott Murcott notes these same motives are operative today among young people but also adults with darker motives and moneymaking schemes with nulled commercial GPL software like many WordPress plugins and themes. These nulled versions often do have malware payloads and infringe on trademarks by representing themselves as the real thing, so a clueless buyer might actually think they have a legit version.
Scott explains all the (many!) reasons why using nulled software is a terrible idea. He also talked to a number of plugin developers about their experiences and successes in dealing with people illegally distributing their work as “warez.” Legal enforcement just isn’t a viable option most of the time, but some developers have found ways to cut off the illicit distribution of their work through a mix of technical savvy and diplomacy.
Sometimes DMCA takedown requests are a worthwhile option. Sometimes informational material and warnings aimed at nulled software users might have a positive effect. That surprised me, but it’s good to know there are things that can be done to protect your livelihood as a digital product owner or developer.
One thing you can do is to recognize a lot of people with nulled code may not know or enjoy where it’s likely to lead them — so identifying those who are at risk or getting burned might be worthwhile. They might become customers. Presumably, that’s who Patchstack security advocate Robert Rowley is targeting with a similar post and podcast episode over at Patchstack Weekly. Some people really do need the explanation for why you shouldn’t use nulled plugins and themes.