The new subscription model will almost double my costs ($900 / year), all while I've been getting less and less value with each update. Furthermore if I ever stop paying, I will lose access to the product.
Whereas if I stop paying now, I will maintain indefinite access to what I currently have.
I think I simply won't renew next year, and will rely on Ghidra to fill any gaps going forward.
Wow, not even a perpetual fallback license?
I wasn't super thrilled when Jetbrains switched to a more subscription-based system, but being grandfathered in (so I didn't have to restart the subscriptions as if I were a new client), the heaps of existing goodwill they'd built up, made the changeover much less of an issue, and super importantly finally listening to customer and adding perpetual fallback licenses alleviated much of the fear.
Don't pay for SaaS, don't encourage this bullshit. If foss offerings don't cover your usecase piracy is better for humanity than paying.
For whatever reason at the time, that opened my mind to why people do things
Only the decompiler is better in Ghidra, IMO, but I'm sure there's a plugin for that.
I’ve been paying for Hex-Rays out of my own pocket for a decade because it’s a great tool, but $8000/year for a personal license subscription? Forget it.
> It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.
Unfortunately this leaves the hobbyist and individuals behind. ~$1K/year isn't out of the realm of what I pay for other tools, but it's really hard to justify it when I can open Ghidra and get 95% of the way there without the subscription model.
IDA really is great for handling edge cases and obscure architectures, but I hope this last switch-up by Hex-Rays pushes even more developer attention toward improving the open-source alternatives.
The only reason any corporation I worked for purchased IDA Pro licenses was because I recommended it. The only reason I recommended it is because I could (barely) afford a personal license, and play with it in my own time.
Going forward they're going to miss out on this word-of-mouth marketing, which I expect will negatively affect sales expansion going forward.
If you're an exec at Hex-rays and you believe that Ghidra will eventually out compete you, then it makes sense to squeeze every penny you can before you're irrelevant.
To this very day, whenever I'm stuck slogging through the build or debug process of a Ghidra plugin that has a more mature alternative in the IDA universe, I occasionally let a tiny bit of that resentment bubble to the surface to propel me across the finish line.
https://reverseengineering.stackexchange.com/questions/22676...
I find Ghidra to be much better at this, since people actually write loafers for it and you get a decompiler “for free”.
For the obscure architectures Ghidra does support, it's way better than IDA by virtue of having a decompiler alone. Even if the decompilation is subtly wrong, the broad strokes are so much easier to navigate that finding the right method to go through by hand is much easier.
And once you dive into Ghidra's P-Code IR and more advanced plugin support and move beyond existing IDA plugins, it's honestly better than IDA for things nobody has done before.
Now, there are some obscure architectures like C167 for which we still lack a working Ghidra processor model, but this is only a matter of time - and once it comes, it will already be way ahead of IDA!
You don't even need to describe the whole instruction set, just all the instructions that your target binary uses.
Such an amazing thing. And or1k is a nasty architecture with delay slots, which makes manual assembly reading quite tedious, etc. So the decompiler "C" output is very useful in this situation. I was in awe.
There's this new trend that big players (vendors with the size enough to appear in Gartner), that are investing heavily in bridging the gap between them and the end user, at the expense of the small players (independent IT Security consultants and boutique firms).
Their new SaaS offerings are marketed as next generation, while making it seem that their previous product is just legacy and no longer recommended. However, it's the legacy product what got them the growth to be there today.
Their On-Prem offering is still for sale, but at a cost very hard to justify. Almost no small player can afford such a cost.
I understand the business rationale behind a product management decision like this. But not because it was the right decision at the moment, automatically I have to feel great about it.
Historically, IDA Pro's sales and licensing has always been a bit of a headache for customers. I could understand that the OPEX model makes it easier for some companies to keep renewing.
That just goes to show that I'm not their target market. Even if IDA had a pay-what-you-want option, the 10-20 I'd be willing to pay per month while using a leaked version is clearly completely negligible compared to what they normally charge.
And I'm happy to just use Ghidra instead of bothering with an IDA leak, so I suspect this announcement might simplify things for their existing corp users, but it'll probably not do a great job of expanding the home userbase.
That happened after they announced the switch to a subscription model to overwhelmingly negative feedback.
Anyone who has worked on customer facing projects or tools know there is always overwhelmingly negative feedback to billing increases. What is less common is vendors being responsive to that in a way that is actually beneficial to customers. That is doubly the case when you are dealing with high quality, specialty tools that have free or open source competitors that are good enough to get by, but not great (Adobe suite vs various free and open tools, for example).
I think the worst part though is the bit about prohibiting future re-downloads for users who bought perpetual licenses in the past. The sort of company that pulls that nonsense is very precisely not the kind of company I expect to provide a good customer experience in a subscription product/service.
That is absolutely, 100% a complete deal breaker when it comes to the prospect of me ever doing business with Hex-Rays.
IDA never offered redownloads past the end of your 'support period'. As their last renewal email to me said:
> Please check our web site and the protected area for new files. If you find anything interesting or useful, feel free to download it immediately. Once your support period is over, the server will not prepare new download links!
> 10. What if I do not renew my subscription? If subscriptions are not renewed, you will lose access to the software on the day that a new subscription should have started. Please note that the software will stop working if not renewed.
> 13. I have an IDA perpetual license, when do I have to change to a subscription? At the end of your current support period all renewals will be moved to the subscription model. We are offering our existing users an opportunity to pay only your current renewal price for your first year on the subscription plan.
So maybe I'm mistaken, but it sounds like they're trying to renege on perpetual licenses?
> 14. What if I don’t renew on the subscription plan? Existing users can continue to use the version of IDA Pro/Decompiler he have purchased under the perpetual license model indefinitely. However, they will not be able to receive product updates and tech support after the 12-month support expires. No re-downloads of past versions will be provided, so make sure to keep all necessary backups.
Far, far bigger films get away with nonsense like this. But IMHO it's a violation of the CJEU case UsedSoft GmbH v Oracle (paragraph 85).
It didn't occur to me that some FAQ items would modify others, so I stopped reading at #13.
> 14. What if I don’t renew on the subscription plan?
Not sure how a contraction and the word "on the", "plan" make those separate questions...
... Oh wait.
“Ah yes, all you hackers and crackers, please take this DRM’ed copy of IDA and please obey the licensing agreement and don’t bypass the DRM.”
If their goal is to target the corporate market, then they do care about individual hobbyists cracking their product - they'd be in favor of it.
Mostly that Ghidra is open source and no one would be willing to go through the hassle of reverse engineering IDA when Ghidra is just sitting right there...
While IDA certainly has the first mover advantage, I've found that Binja and Ghidra in combination are able to achieve full coverage of my targets. If you're just targeting x86, you can probably get away fine with Ghidra. Although I've found for non x86 ISA's, Ghidra and Binja each have better or worse support for certain arch's but the ven diagrams overlap to full coverage.
I think we've seen this happen with other tools before.
Of course Hex Rays wants people to ditch perpetual licenses. Because I can just not pay and use my current IDA and Hex Rays licenses as long as I want. And at this point, I am probably going to do exactly that, and transition to greener pastures as I am able to.
It’s not like their licensing was generous before either. Before, you had to pay separately for each decompiler, including x86 vs x64, AND for each platform you want to run IDA on, you need another full set of licenses. That fucking sucks. This new scheme may have improved some of that, but at the cost of perpetual licenses and both higher starting and renewal rates, it’s extremely difficult to see this as a win.
I wanted to like Hex Rays. The high cost was literally never an issue for me other than for accessibility reasons. The software is useful and featureful and the lack of annoying DRM was good. But this, plain ass sucks. Between IDA Home and subscriptions, it’s hard to imagine how much harder Hex Rays could spit on home users other than flat out telling them to take a hike.
And yeah, at the end of the day I’m sure a lot of thought went into this, but I hope the response doesn’t go unheeded. I am not downgrading to a subscription under any conditions.
I respect people's right to sell software, but I'm tempted to crack out the world's tiniest violin when I hear people complain that FOSS is eating their lunch. Consider how much good FOSS compilers have done for the world, and how many more people were able to program computers that otherwise would never have been able to afford it.
Binary Ninja (disclaimer: BN dev here) Hopper JEB Relyze
That said, I 100% agree with the impact Ghidra has had on the market. It's definitely making it _much_ harder to sell a commercial product when a well maintained, zero cost, open source alternative is available. If we (Vector 35, Binary Ninja devs) hadn't been as far along in our development roadmap and growing our customer base as we were when Ghidra was released we'd likely have had to simply do something else which would be an overall loss for the community.
Who knows what other products/ideas will now never see the light of day. The barrier to entry was already extremely high in this space for a limited return, but now? Nearly impossible for anyone new to entry.
I don't disagree with you. However we're discussing this in the context of IDA: A program whose user-interface is permanently stuck in the 90s. Its extremely idiosyncratic default key-bindings also betray exactly how dated its interface is.
I've only recently started using it, after being an IDA user for many, many years, and would be interested to know in advance where it falls short, in comparison with IDA or just generally.
Actually, for a hobbyist, maybe the Home edition is good enough? It does have Pytho scripting capacity, local debugger (I guess I can just use Windbg for windows) and decompiler (although it's cloud based so I'm not sure what does it mean).
Edit just checked the quote for IDA Pro and it's some 5000+ USD, it's a bit heavy for me.
This is coming from someone who has access to an IDA Pro license through work, and uses both it and Ghidra daily. IDA does a few things better than Ghidra (Lumina is much better than ghidra's FIDB, the debugger support is a bit more feature-complete), but it's certainly not worth the steep price IMO.
If you're just getting into this area, perhaps it makes sense to gain expertise with a tool that is likely to be around for a while (e.g. Ghidra) rather than one with a now-uncertain future?
Also, just to be clear, my tooling only really covered what I needed. It was pretty crude. But amazingly simple to stitches together aside from a few gotchas.
I love the gall they have to say this.
When I saw the headline, I thought that a subscription model might provide more amenable pricing than the USD$1800 for IDAPro, and actually give access to more users. At this pricing, they've absolutely ensured that I never pay again. IDAPro is already a product that's diminishing in comparison to the competition year after year.
Long live Ghidra!
