Hex-rays is moving to a subscription model

Hex-rays is moving to a subscription model(hex-rays.com)

106 points by qw3rty01 4 years ago | 119 comments

nekitamo 4 years ago |

I've been a customer since ~2010, and have been paying out of my personal pocket the $469 / year support renewal for a standard IDA Pro named license, which I've carried with me through various jobs in my career.

The new subscription model will almost double my costs ($900 / year), all while I've been getting less and less value with each update. Furthermore if I ever stop paying, I will lose access to the product.

Whereas if I stop paying now, I will maintain indefinite access to what I currently have.

I think I simply won't renew next year, and will rely on Ghidra to fill any gaps going forward.

masklinn 4 years ago | |

> Furthermore if I ever stop paying, I will lose access to the product.

Wow, not even a perpetual fallback license?

I wasn't super thrilled when Jetbrains switched to a more subscription-based system, but being grandfathered in (so I didn't have to restart the subscriptions as if I were a new client), the heaps of existing goodwill they'd built up, made the changeover much less of an issue, and super importantly finally listening to customer and adding perpetual fallback licenses alleviated much of the fear.

ShrigmaMale 4 years ago | |

The real reason for many subscription models is to juice more revenue from users, charging over time allows for a higher price with less sticker shock.

errantspark 4 years ago | | |

The real reason for the software as a service model is that it makes it easier to extract/capture value. Many SaaS offerings would be better at providing value to customers with non-SaaS architectures, unfortunately providing value to customers is second to providing value to shareholders.

Don't pay for SaaS, don't encourage this bullshit. If foss offerings don't cover your usecase piracy is better for humanity than paying.

vmception 4 years ago | | |

There was once set of Christmas themed console controllers (one Red, one Green) with the model name "Profit Driver"

For whatever reason at the time, that opened my mind to why people do things

ljhsiung 4 years ago | |

I'm a big fan of the radare2 suite. The integration of its ecosystem/plugin support is phenomenal.

Only the decompiler is better in Ghidra, IMO, but I'm sure there's a plugin for that.

ShrigmaMale 4 years ago | | |

There is. Rizin also has some interesting improvements (like mew save by serialization of state instead if command sequence) which is nice since it initially looked like a CoC fork.

TkTech 4 years ago | |

I'm in the same boat. It's finally passed the point where I'd rather spend a few slow weekends adding missing QoL features to Ghidra then renew IDA.

teakettle42 4 years ago | |

This is going to increase my costs from $4800/year to $8000/year, and yeah, no more perpetual license.

I’ve been paying for Hex-Rays out of my own pocket for a decade because it’s a great tool, but $8000/year for a personal license subscription? Forget it.

squid_demon 4 years ago | |

Just make sure you get the latest Ghidra update with the log4j issue addressed :)

shagie 4 years ago | | |

... and readdressed. https://logging.apache.org/log4j/2.x/security.html

> It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

jdefr89 4 years ago | |

BinaryNinja... Switch to that.

PragmaticPulp 4 years ago |

As alternative tools like Ghidra or even some of the cheaper options like Hopper become more popular, I suspect Hex-Rays recognizes that corporate licenses are their bread and butter. From a business perspective it makes sense to squeeze as much out of these companies as they can get away with. The subscription costs are only a fraction of an annual salary.

Unfortunately this leaves the hobbyist and individuals behind. ~$1K/year isn't out of the realm of what I pay for other tools, but it's really hard to justify it when I can open Ghidra and get 95% of the way there without the subscription model.

IDA really is great for handling edge cases and obscure architectures, but I hope this last switch-up by Hex-Rays pushes even more developer attention toward improving the open-source alternatives.

loves_mangoes 4 years ago |

Taking away the option of perpetual licenses is an interesting business decision. Jetbrains makes the subscription model work, but they also do give you a permanent license to older versions after 1 year of subscription (which is a great incentive to keep people renewing!)

Historically, IDA Pro's sales and licensing has always been a bit of a headache for customers. I could understand that the OPEX model makes it easier for some companies to keep renewing.

That just goes to show that I'm not their target market. Even if IDA had a pay-what-you-want option, the 10-20 I'd be willing to pay per month while using a leaked version is clearly completely negligible compared to what they normally charge.

And I'm happy to just use Ghidra instead of bothering with an IDA leak, so I suspect this announcement might simplify things for their existing corp users, but it'll probably not do a great job of expanding the home userbase.

dcminter 4 years ago | |

JetBrains had a mis-step on the way to that model (but had the sense to listen to their customers): https://blog.jetbrains.com/blog/2015/09/18/final-update-on-t...

thaumasiotes 4 years ago | |

> Jetbrains makes the subscription model work, but they also do give you a permanent license to older versions after 1 year of subscription

That happened after they announced the switch to a subscription model to overwhelmingly negative feedback.

ygjb 4 years ago | | |

You do realize that is a win from a customer service and reputation perspective? Jetbrains listened to their customers, and amended their model. That is the kind of responsiveness I would appreciate in a vendor, especially if it's a vendor that produces tools that I enjoy using or help me make money.

Anyone who has worked on customer facing projects or tools know there is always overwhelmingly negative feedback to billing increases. What is less common is vendors being responsive to that in a way that is actually beneficial to customers. That is doubly the case when you are dealing with high quality, specialty tools that have free or open source competitors that are good enough to get by, but not great (Adobe suite vs various free and open tools, for example).

skoskie 4 years ago | |

Jetbrains is also just $5/mo for the one app I use, and I get a lot of functionality for that.

MikeBVaughn 4 years ago |

I really like IdaPro, but this guarantees that I move to Ghidra.

I think the worst part though is the bit about prohibiting future re-downloads for users who bought perpetual licenses in the past. The sort of company that pulls that nonsense is very precisely not the kind of company I expect to provide a good customer experience in a subscription product/service.

That is absolutely, 100% a complete deal breaker when it comes to the prospect of me ever doing business with Hex-Rays.

ntauthority 4 years ago | |

> I think the worst part though is the bit about prohibiting future re-downloads for users who bought perpetual licenses in the past. The sort of company that pulls that nonsense is very precisely not the kind of company I expect to provide a good customer experience in a subscription product/service.

IDA never offered redownloads past the end of your 'support period'. As their last renewal email to me said:

> Please check our web site and the protected area for new files. If you find anything interesting or useful, feel free to download it immediately. Once your support period is over, the server will not prepare new download links!

MikeBVaughn 4 years ago | | |

Thanks for catching that! The core point still stands, though, I think that approach is customer-hostile and entirely at odds with the sort of customer service I expect from a company offering a subscription.

jchw 4 years ago |

Dear Hex Rays: I’m not switching to subscription for these prices. Signed, a paying customer with multiple licenses, and future Ghidra user.

CoastalCoder 4 years ago |

I'm curious about the interplay of two items from their FAQ:

> 10. What if I do not renew my subscription? If subscriptions are not renewed, you will lose access to the software on the day that a new subscription should have started. Please note that the software will stop working if not renewed.

> 13. I have an IDA perpetual license, when do I have to change to a subscription? At the end of your current support period all renewals will be moved to the subscription model. We are offering our existing users an opportunity to pay only your current renewal price for your first year on the subscription plan.

So maybe I'm mistaken, but it sounds like they're trying to renege on perpetual licenses?

delusional 4 years ago | |

Just below:

> 14. What if I don’t renew on the subscription plan? Existing users can continue to use the version of IDA Pro/Decompiler he have purchased under the perpetual license model indefinitely. However, they will not be able to receive product updates and tech support after the 12-month support expires. No re-downloads of past versions will be provided, so make sure to keep all necessary backups.

orra 4 years ago | | |

> No re-downloads of past versions will be provided

Far, far bigger films get away with nonsense like this. But IMHO it's a violation of the CJEU case UsedSoft GmbH v Oracle (paragraph 85).

CoastalCoder 4 years ago | | |

That's a bit embarrassing, thanks for the correction.

It didn't occur to me that some FAQ items would modify others, so I stopped reading at #13.

catskul2 4 years ago | | |

> 10. What if I do not renew my subscription?

> 14. What if I don’t renew on the subscription plan?

Not sure how a contraction and the word "on the", "plan" make those separate questions...

marcodiego 4 years ago |

https://ghidra-sre.org/

alpanka 4 years ago | |

Nice try NSA!

... Oh wait.

jamesfinlayson 4 years ago | |

Nice - last time I was looking for a decompiler this wasn't a thing. Clearly I've been out of the loop for a while.

ebeip90 4 years ago |

This is the dumbest thing they could do.

“Ah yes, all you hackers and crackers, please take this DRM’ed copy of IDA and please obey the licensing agreement and don’t bypass the DRM.”

yjftsjthsd-h 4 years ago | |

I'm not in this scene so take with a grain of salt, but I've heard that in many circles cracking your own copy of IDA was considered a rite of passage long before this particular change, and the company honestly may not care if their whole intent is to target the corporate market (a bit like how Adobe benefited greatly from Photoshop being widely pirated). Of course, the dynamic may also be changed by FOSS options becoming real competitors.

0xbadc0de5 4 years ago |

I had used IDA+HexRays for a few years between 2009 - 2017 but abandoned it entirely in favor of Binary Ninja and Ghidra (and to a lesser extent Hopper and Radare).

While IDA certainly has the first mover advantage, I've found that Binja and Ghidra in combination are able to achieve full coverage of my targets. If you're just targeting x86, you can probably get away fine with Ghidra. Although I've found for non x86 ISA's, Ghidra and Binja each have better or worse support for certain arch's but the ven diagrams overlap to full coverage.

marcodiego 4 years ago |

This is what happens: you've got enough corporate clients dependent on your product; you know they can pay what you're asking and it would be even more expensive for them to invest in alternatives; you also see that alternatives will improve and take youR market in the long run, but when that happens will be already retired.

I think we've seen this happen with other tools before.

jchw 4 years ago | |

IMO: IDA Home was the response to Ghidra. They could’ve raised or lowered rates without this change. But, subscriptions are probably a response to… perpetual licenses. Because I can keep using my current version of IDA forever, and with updates usually slower than the speed of smell it’s pretty alluring sometimes. I mean fuck, IDA Pro hasn’t updated since like April. Not because there's no bugs or no features that could be added, it just doesn’t get that much updates in a year. This is not the worst thing and I am sure there’s a reason, but yeah it makes the value proposition of keeping the support license alive a lot weaker.

Of course Hex Rays wants people to ditch perpetual licenses. Because I can just not pay and use my current IDA and Hex Rays licenses as long as I want. And at this point, I am probably going to do exactly that, and transition to greener pastures as I am able to.

It’s not like their licensing was generous before either. Before, you had to pay separately for each decompiler, including x86 vs x64, AND for each platform you want to run IDA on, you need another full set of licenses. That fucking sucks. This new scheme may have improved some of that, but at the cost of perpetual licenses and both higher starting and renewal rates, it’s extremely difficult to see this as a win.

I wanted to like Hex Rays. The high cost was literally never an issue for me other than for accessibility reasons. The software is useful and featureful and the lack of annoying DRM was good. But this, plain ass sucks. Between IDA Home and subscriptions, it’s hard to imagine how much harder Hex Rays could spit on home users other than flat out telling them to take a hike.

And yeah, at the end of the day I’m sure a lot of thought went into this, but I hope the response doesn’t go unheeded. I am not downgrading to a subscription under any conditions.

TavsiE9s 4 years ago |

I hope Ghidra and alternatives take their customers.

rowanG077 4 years ago |

Another one bites the dust. It's fortunate we have ghidra all though it can't compete yet on feature level. I guess the positive thing is that ghidra development will accelerate now.

markus_zhang 4 years ago |

Does anyone know whether it is possible to purchase a legacy license (and don't expect any update once they move to subscription model) for IDA right now? I'm preparing to get into reverse engineering but haven't looked into IDA because I'm still sharpening up my C, assembly and Operating System skills.

Actually, for a hobbyist, maybe the Home edition is good enough? It does have Pytho scripting capacity, local debugger (I guess I can just use Windbg for windows) and decompiler (although it's cloud based so I'm not sure what does it mean).

Edit just checked the quote for IDA Pro and it's some 5000+ USD, it's a bit heavy for me.

roblabla 4 years ago | |

Honestly, as a hobyist, I'd really recommend looking into Ghidra. It's really great, can be modified to suit your needs much more easily both thanks to its open source nature but also because of its really good API (IDA's scripting API is a huge mess...). Its decompiler is also really really good, and keeps getting better.

This is coming from someone who has access to an IDA Pro license through work, and uses both it and Ghidra daily. IDA does a few things better than Ghidra (Lumina is much better than ghidra's FIDB, the debugger support is a bit more feature-complete), but it's certainly not worth the steep price IMO.

markus_zhang 4 years ago | | |

Thanks. Guess I'm going to try out Ghidra later. It probably has way more than what I need.

CoastalCoder 4 years ago | |

I'm not really familiar with the relative merits of the different tools, but:

If you're just getting into this area, perhaps it makes sense to gain expertise with a tool that is likely to be around for a while (e.g. Ghidra) rather than one with a now-uncertain future?

markus_zhang 4 years ago | | |

Thanks, concerning the popularity of Ghidra yeah will try it out.

sharklazer 4 years ago |

Oddly, I’ve written my own decompiler stack from scratch for ARM thumb to “dumb” C for embedded systems, based on radare2. I looked at all the existing tooling and said “That would make sense in a professional capacity” before this change. But this is a little ridiculous, given how easy it is to write decompilation and reveng tooling, if you’ve got some compiler know-how and you’re willing to read manuals for those tricky details.

Also, just to be clear, my tooling only really covered what I needed. It was pretty crude. But amazingly simple to stitches together aside from a few gotchas.

livinginfear 4 years ago |

> We have halved the price of our products on this new model and hope that it will allow more users to access the software.

I love the gall they have to say this.

When I saw the headline, I thought that a subscription model might provide more amenable pricing than the USD$1800 for IDAPro, and actually give access to more users. At this pricing, they've absolutely ensured that I never pay again. IDAPro is already a product that's diminishing in comparison to the competition year after year.

unixhero 4 years ago |

Ah the good old death of good tools.

nice_byte 4 years ago |

i liked the old design on their website better. though this one fits better with the whole "software as a service" thing, i suppose.

fileoffset 4 years ago |

IDA license has always been a joke.

Long live Ghidra!

************************************************************ * Your order has been accepted. ************************************************************ Please retain this receipt for your records. This e-mail confirms your order placed with Hex-Rays. Payment data ------------ Beneficiary : Hex-Rays Address : Rue Rennequin Sualem 34 BE-4000 Liege Website address : http://www.hex-rays.com General conditions : https://www.hex-rays.com/products/ida/t&c.pdf Order date : 15/05/2016 22:40:05 Order reference : deWerd_4732_20160515 Ogone Payment reference : 3016168801 Order description : IDA license Total : 1129.00 USD Charging method : MasterCard XXXXXXXXXXXX---- Sub-brand : UNDEFINED Status : Authorised Authorisation code : ------

Sorry for the English, I do not speak well -- so, some idioms may be translated directly and be incorrect for understanding for native. This release should serve as a life lesson to those who consider themselves as "people 'blue' blood." It aims - in some ways to bring down pride (swallow their pride), to tell these people where to get off. Show that, besides them, there are other people who should at least respect, appreciate their work and consider to their opinions (or at least listen to). This release is dedicated to one man and one company, which behave antisocial, defiant, arrogant, are not considered to anybody or anything, and therefore need to conduct a little "educational" work from the community. *** Let's start in order: one man - Ilfak Guilfanov. I wanted to write a lot, then I thought - it makes no sense. And so, in principle, nothing much to tell. Those who are "in" know a lot about this person. It is impossible to buy IDA even if you really want to do. I described some details about this in my blog, 'ida' tag (do not linking here, if you need - you will find it). Also, you can read some more here (Russian only): I apologize to crackers who were recruited in HexRays SA, you are in some measure also falls under attack. But your head, sadly, leaves no other choice. In December 2007, after a memorable revelations of Ilfak in the topic http://www.idapro.ru/forum/viewtopic.php?t=463, occurred after warez-release of the IDA v5.5, I created another topic http://www.idapro.ru/forum/viewtopic.php?t=458. In it I outlined some thoughts about "double standards" of the author of IDA. Just a small example. Struck up a brief conversation, which resulted in Ilfak behaved absolutely inadequate (in his usual manner) and I was banned on the forum. But that's not all. Before I was banned, he is sent me a private message (PM): I recommend to reconsider your attitude to people and to express your thoughts in dealing with them. In any case, at the moment you "reap" is what you had "sow" by yourself. I do not soft-pedal such things. *** Next: company - ESET - NOD Antivirus developer There is a saying: "Curses like chickens come home to roost" (I have already voiced it in relation to you in 2008-2009th years). Now it's time. So, the characters from ESET (a minimum): * J M - the main short-sighted and po-faced personage * M Z (Customer [Un]Care; z@eset.sk) * D N (Virus Researcher) The ESET company treats software developers (small companies and individual developers of shareware-products) as a shit, and does not hide this.