Announcement

Collapse
No announcement yet.

Application Protection

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Application Protection

    Is there something fundamentally wrong with this protection scheme?

    On App Installation:
    1. Get the UUID or disk S/N or some other PC-specific identifier
    2. Add the UUID to an encrypted file on a server

    On App Startup
    1. Download the encrypted file from the server
    2. Decrypt the file
    3. Get the local UUID and test to see if it is in the file

    And is the UUID or drive S/N as good as any PC-specific parameter to use?

    I'm not worried about "perfect" protection, but something like the approach above would seem to give reasonably good protection. No?

  • #2
    Hi Gary,

    There is no easy answer to techniques of protection, Intel dropped CPU serial numbers long ago and bits of hardware get changed when they clap out so its not a viable long term solution. Producing a unique key for each customer/user that is required to unlock the installation is reasonably straight forward to do and not easily broken, especially as the name of the customer would normally be encrypted in the key.
    hutch at movsd dot com
    The MASM Forum - SLL Modules and PB Libraries

    http://www.masm32.com/board/index.php?board=69.0

    Comment


    • #3
      What if the application can't contact the server for some reason? Not everyone is permanently on-line.
      What if the user replaces his machine (or just the part you are using as an ID) - does he lose his licence?

      I'm happy with displaying the licensees name prominently in the application and storing it encrypted in a licence file. If you don't want them to move the application to another machine, store the encrypted key in the registry (somewhere in HKCU with a nondescript path.)

      Comment


      • #4
        Gary
        We normally use a program to get the Hard disk serial # , Mainboard serial #, BIOS name and other BIOS parameters.

        We do not use online server authentication method as Stuart had said

        What if the application can't contact the server for some reason? Not everyone is permanently on-line.
        What if the user replaces his machine (or just the part you are using as an ID) - does he lose his licence?
        We employ the following procedure to secure our programs :

        1. User paid for the product online and would be able to download a pre-installer program from us.
        He/she must execute the pre-installer program first. This pre-installer program will retrieve all his/her
        computer's parameters (Hard disk serial # , Mainboard serial #, BIOS name and other BIOS parameters.)

        2. The pre installer will write the parameters into an encrypted file and the user need to email us the encrypted file.
        The pre installer program will normally expires within 10 days after a run.

        3. With this encrypted file, we would be able to write (hard written codes) into our programs which
        can only run on the specific User machine and NO other computer.

        4. And we email the user with a link to download this customized programs ( he is limited to 2 downloads) and
        the that the download link will expire within 10 days from the date of notification.

        5. The User can then install the customized program in that specific machine and run the programs.

        6. Each run of the customized programs will check for the parameters (Hard disk serial # , Mainboard serial #,
        BIOS name and other BIOS parameters.) If the parameters are missing then the program will just exit.
        Note that we do NOT delete programs or data, the customized programs just won't run if they are
        installed in other machines. Deletion of programs and data is against the law.
        We also prevent the customize programs from running in Virtual machines ( as hackers can duplicate the machine's
        Hard disk serial # , Mainboard serial #, BIOS name and other BIOS parameters.)


        7. Doing this way, the customer or user will not be able to run the customize programs at home or sell
        it to other parties.
        Note that our programs are for professional Engineer's usage, as there can be liabilities if these programs
        are being used by non engineers to design and build structurally sound buildings.

        Comment


        • #5
          [
          by Stuart
          What if the user replaces his machine (or just the part you are using as an ID) - does he lose his licence?
          Well, if he/she replaces the machine, he/she will need to buy a new license from us at a discounted rate.

          Noted that under NO circumstances can the user keep on replacing the machines, as often as
          once every 3 months , we will not sell them any more discounted license or we will sell them
          at our discretion.

          Comment


          • #6
            There is also the solution to use an USB key (unique serial number) as a dongle.
            Then the user can move the software around, but it can use it only from the one using the dongle.
            Patrice Terrier
            www.zapsolution.com
            www.objreader.com
            Addons: GDImage.DLL 32/64-bit (Graphic library), WinLIFT.DLL 32/64-bit (Skin Engine).

            Comment


            • #7
              Required user information is encrypted once upon purchase by you.
              Program requires unencrypting the information, shows it and uses it.
              The encryption/decryption can require a new password after certain conditions like the current date.
              Pretty much the same as Post 3.

              If somebody clones a disk, uses a backup or can't contact your server should not lock them out.

              Comment


              • #8
                Hi Anne,

                It sounds like you have a system that works in a very narrow and probably very expensive market but anything that is so difficult to purchase and maintain has a simple solution, buy something else that is not so crippled and restricted. I well understand why software that has big costs and time to produce it needs to be protected from illegal copying or piracy but the more restrictions you place on downloading and using software, the more likely a potential customer will be inclined to look elsewhere.

                Just as an example, I use 5 machines for a variety of overlapping work, one is my LAN web server which also doubles as a GP box and the rest are multicore Xeons that I can delegate tasks to so I don't lock up my dev box. The only software I buy is software that I can install on all of them. I am the only user of all of them so there is no non licenced usage. A video app I use when I have time to work on video did have some restrictions but as I purchased a retail release version rather than a subscription version, i burnt their ear and they fixed it.

                You should be able to set up a multi-user licence so that a customer can run multiple copies within that licence limit. The more flexible your licence is, the more happy customers you will end up with.
                hutch at movsd dot com
                The MASM Forum - SLL Modules and PB Libraries

                http://www.masm32.com/board/index.php?board=69.0

                Comment


                • #9
                  File protection/packers
                  May work, but false positives for viruses may start coming in at anytime.

                  VirusTotal
                  Found about 20 different people in my log within minutes after submitting a SQLitening program packed into a single file.
                  Great way to test your software if you don't mind giving it away.




                  Comment


                  • #10
                    Are you trying to stop a licensed user from installing multiple times with a valid license? Or are you trying to keep it save from lots of people, who never got a real license.

                    You could randomly check the license and perhaps have a very obscure key in the registry in a pre-existing location or make up a new one

                    Computer\HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\GABE\

                    The key is to only check it once in while or every 12th use or something like that.
                    And dont check it on startup wait a random number of minutes.

                    Now you can steal it but it will drive you crazy. It is also a way to let people try it for free.

                    Could have a random timed splash screen.

                    Comment


                    • #11
                      Steve,
                      It is NOT so much about user pirating your software, it is about restricting the software use on an authorized computer,
                      to prevent legal liabilities. As you see my company does Structural Engineering software as such it needs to be used
                      by authorized and professional Engineers, and NOT by technicians or unqualified technologist who pirated the software
                      and used it at home.

                      The said software is used to design and calculate structural building members such as beams, columns, floor slabs,
                      shear walls, pile caps etc. If the software is illegally used at home by unprofessional and unqualified people, then
                      if that building collapse, the repercussions will be heavy. Therefore, keeping the program in an authorized computer
                      is a top priority and can potentially avert a disaster and saves many lives.

                      Comment


                      • #12
                        David
                        Placing certain secret keys into the Registry is NOT secure, as there are many Registry cleaner software ( such as Panda AV )
                        that can search thru' the registry and list out hidden or unknown registry keys. These keys can then be duplicated onto another
                        computer and your program is now able to run in it bypassing all your software checks.

                        From a hacker's viewpoint, this method will only able to keep out some 30% of the users from pirating your software.
                        And for someone perhaps with a middle school's knowledge would be able to bypass this registry key check in a few
                        minutes!!!

                        The same applies to keeping some obscure or hidden files somewhere located in your computer. By the same principle, these
                        hidden files are easily hackable and traceable!

                        Perhaps, there is an exception by having a thousand of these registry keys, of which your program would randomly check
                        for say 150 of these keys at any given time. The remaining are just dummy keys set up to waste hacker's time as he/she
                        need to weed out each and every key by trial and error. It is more like security by attrition, until the hacker may have to
                        give up as it is not worth his/her time.

                        Comment


                        • #13
                          Howdy David!

                          I allow my users to put a copy on any PC they own. I even allow family members to put it on their PC, because the family members can be a big help to the user.

                          I'm only interested in preventing unlicensed users.

                          I've generally been working within a small community of low vision users. If I were to grow, I'm interested in a reasonable approach to denying unlicensed users. With something like the diskdrive ID, I would store valid IDs on the server and perhaps every 2 weeks check on startup of my application to see if the app is running on an approved PC.

                          I also allow unpaid users to run the software for 100 times on a trial basis.

                          Neither approach is particularly secure but better than nothing.

                          I don't really expect anyone to break in. If a few do, I don't really care. I just don't want it to be an open pathway for theft.

                          Comment


                          • #14
                            You are 100% correct Anne.
                            I was just tossing out some ideas if potential hackers are not very knowledgeable. All my stuff uses TCP call home once in awhile. Sends errors at the same time.

                            Gary: TCP call home is quite easy if you wanted to take a look.

                            Comment


                            • #15
                              Gary,

                              There is a simple trick for a limited number of uses before the software stops working. Write an INI file (by any name you like at any location you like) with a number in it. After each use the number is decremented until it reaches 0 then the app deletes it. Randomise the file name and location so its no joy to find and when its number is 0 it can't be found at all. It could be beaten but it would be no joy to do and its easy to make it a lot more difficult.

                              Anne,

                              I get the swing of why you have to do this but keeping customers happy has the capacity for them to buy more from you and this helps to keep the wolf from the door. What about a single unique dongle along with allowing each paying customer to have multiple installations ?
                              hutch at movsd dot com
                              The MASM Forum - SLL Modules and PB Libraries

                              http://www.masm32.com/board/index.php?board=69.0

                              Comment


                              • #16
                                Schneier on Security
                                https://www.schneier.com/essays/arch..._of_trust.html

                                Comment


                                • #17
                                  Originally posted by Mike Doty View Post
                                  An oldie but goodie. What he had to say then is just as valid 22 years later.

                                  Comment


                                  • #18
                                    Its an interesting article Mike but a bit long in the tooth. Microsoft deal with it by endless updates and its one of the few ways that keep the cracking/hacking community on their toes. The general rule is if software can be run, it can be broken but you can add a level of complexity that is time based to break it which is then out of date due to later versions that are different. The call to home via an internet connection is no joy to circumvent but if a hacker modifies the app so it does not do it or targets another web site, that runs out of puff as well.

                                    Endless change and being original is about the best you can do and making the innards so complicated that it takes time to break it can be bypassed by rapid turnover, much the same as Microsoft do with the endless updates.
                                    hutch at movsd dot com
                                    The MASM Forum - SLL Modules and PB Libraries

                                    http://www.masm32.com/board/index.php?board=69.0

                                    Comment


                                    • #19
                                      Phone home licensing is anti-consumer at it's core. It allows the developer, AT WILL, to discontinue consumer use of their product, regardless of reason. If they decided they no longer want to support a version... poof; they want more money... poof; Internet or website goes down... poof; they go out of business... poof.

                                      Sure it let's them control who is illegally using their software, but there are far more consumer friendly methods (USB key dongles, etc.) that can be implemented. I have been burned too many times by developers using this methodology - Insteon (home automation), Photodex (ProShow Gold). Even IDM UltraEdit is like this; I have a few lifetime perpetual upgrade licenses for UE and UES and they have not burned me yet, but I'm waiting for it. They already have denied use of the "cloud configuration storage" built into the new subscription model versions.

                                      I will refuse to buy any new software which uses phone home licensing and am not afraid to tell those companies they lost a sale because of it. Do they care? Probably not, but at least they know why my money will go to product that is more consumer friendly.
                                      <b>George W. Bleck</b>
                                      <img src='http://www.blecktech.com/myemail.gif'>

                                      Comment


                                      • #20
                                        I simply refuse to pay for subscription software, depending on what I am doing, I may not use something for months and I don't intend to keep forking out for something that I use on an occasional basis. My last blunder was seeing an image app on Facebook and in "Brain out of gear mode" i bought an app called InPixio for photo manipulation. It was a nightmare to install with it licence crap and when installed, it was very ordinary. My year 2000 Micrografx Picture Publisher outperformed it.

                                        Recently they tried to auto-renew it and provided no technique to cancel the renewal so after searching how to contact them, I made it very clear that I did not want it renewed. Shortly after I started to get emails about how I could subscribe to it again.
                                        hutch at movsd dot com
                                        The MASM Forum - SLL Modules and PB Libraries

                                        http://www.masm32.com/board/index.php?board=69.0

                                        Comment

                                        Working...
                                        X