Anti-pirating scheme
-
I am trying to develop an anti-pirating scheme. Ok I know that a good assembler programmer can crack just about anything, but here is my thought. Have the installer only install a registration and update app. Upon registering, where you grab and record the MAC address and other info, you allow them to download the remaining files to their computer. Then every time they run the app you both check for updates and confirm their registration against their MAC address. If there are updates then you just download them. If there registration fails you start deleting their application in the background. If they replaced their NIC or simply get a new computer a quick reinstall of your app reregisters it to the new NIC. This would effectively only allow one copy of your program to function per registration. So what do you think? I am sure there is a hole in the process somewhere. But, imho, a little incontinence to the customer when they switch out a NIC is nothing compared to having only one working copy per registration. Please comment on this. I need feedback before I go about designing this. Thanks Darroll
Write an application that is so great your users believe you must be a coding god. Now, who would withhold a coin from god? :cool: The biggest loophole in all copyprot schemes are users you scare away. IMO 20 digit-or-letter serials, as they are common today, are an insulting discrespect of the user. Everybody who does more than casual software administration will aggree probably find stronger words. A good copyprot scheme starts with a look at the product to be protected. Each product has different users (if it's only beancounters, there's no use for a copyprot as you suggest), has different market and hazard exposure (e.g. beancounters just need a license agreement that looks scary), different distribution channels (who gets a hand on your final product anyway?), and "cracker attractiveness". and the skills of "good assembler programmers" are way overrated. Just because some companies make zillions with bogus protection schemes (if it comes in a DLL, forget it) doesn't mean you can keep a cracky busy for longer than he enjoys. They are good at certain things. bad at others.
skulls don't kiss a machito [sighist]
-
Well, there is always a hole (not talking about necessary internet access, as Brian said) Your scheme looks like: App->Go Web->Check Registration->Confirm Registration->App Can't draw it in circle here :) but I guess you see where is the problem already. In the chain above, cracker should remove "Go Web->Check Registration" sequence and everything will work just fine, even without internet :) Well, right, you won't get updates.. and this is the subject to discuss. See for example Norton Antivirus. To stay up-to-dat you HAVE to get updates, but to get updates you have to pay... Philip Patrick Web-site: www.stpworks.com "Two beer or not two beer?" Shakesbeer
Philip Patrick wrote: See for example Norton Antivirus. To stay up-to-dat you HAVE to get updates, but to get updates you have to pay... AFAIK you can still download the virus definitions without paying, but being a paying customer allows you to use their LiveUpdate system. DBHelper - SQL Stored Procedure Wrapper & Typed DataSet Generator for .NET
-
I am trying to develop an anti-pirating scheme. Ok I know that a good assembler programmer can crack just about anything, but here is my thought. Have the installer only install a registration and update app. Upon registering, where you grab and record the MAC address and other info, you allow them to download the remaining files to their computer. Then every time they run the app you both check for updates and confirm their registration against their MAC address. If there are updates then you just download them. If there registration fails you start deleting their application in the background. If they replaced their NIC or simply get a new computer a quick reinstall of your app reregisters it to the new NIC. This would effectively only allow one copy of your program to function per registration. So what do you think? I am sure there is a hole in the process somewhere. But, imho, a little incontinence to the customer when they switch out a NIC is nothing compared to having only one working copy per registration. Please comment on this. I need feedback before I go about designing this. Thanks Darroll
1. Please do not cross post. It is sufficient to post a question in one forum only. Everyone who feels like answering it will answer it. 2. This question is better suited for the General Discussions forum, since it relates to programming in a way, though it's not about any particular language (hence you'd be better off in the General Discussions forum instead of any language forum, you'll get a larger audience.) 3. If the registration fails it's better IMO to give a chance to buy and register the app. Don't delete it in the background. That's cheating! 4. Don't use checks like
if(IsRegistered()){...}. A cracker can easily change it toif(TRUE){...}. 5. Do the checks in as many different ways, at as many different times and in as many different locations as possible, even in places that have nothing to do with protection or "registered or trial/demo access", so that even if the cracker manages to patch it in some places, he will have to do a lot of work to patch them all, and even then he can't be sure he did them all (he thought he finished them when suddenly your app decides to check the registration status because it's 1st April).
Regards,Rohit Sinha
-
1. Please do not cross post. It is sufficient to post a question in one forum only. Everyone who feels like answering it will answer it. 2. This question is better suited for the General Discussions forum, since it relates to programming in a way, though it's not about any particular language (hence you'd be better off in the General Discussions forum instead of any language forum, you'll get a larger audience.) 3. If the registration fails it's better IMO to give a chance to buy and register the app. Don't delete it in the background. That's cheating! 4. Don't use checks like
if(IsRegistered()){...}. A cracker can easily change it toif(TRUE){...}. 5. Do the checks in as many different ways, at as many different times and in as many different locations as possible, even in places that have nothing to do with protection or "registered or trial/demo access", so that even if the cracker manages to patch it in some places, he will have to do a lot of work to patch them all, and even then he can't be sure he did them all (he thought he finished them when suddenly your app decides to check the registration status because it's 1st April).
Regards,Rohit Sinha
-
What if they do not have internet access? Why waste time learning when ignorance in instantaneous -Hobbes
Since my app is only distributed via the web they must have internet access.
-
Philip Patrick wrote: See for example Norton Antivirus. To stay up-to-dat you HAVE to get updates, but to get updates you have to pay... AFAIK you can still download the virus definitions without paying, but being a paying customer allows you to use their LiveUpdate system. DBHelper - SQL Stored Procedure Wrapper & Typed DataSet Generator for .NET
leppie wrote: but being a paying customer allows you to use their LiveUpdate system There are ways to deal with that too I'm afraid. There is no fool proof licensing enforcement scheme, and I doubt there ever will be. I think the best approach is to make it hard enough so that average joe won't break it. But perhaps, in the future with quantum computing, it will be possible to fool the crackers. -- If I had the ability to smooth talk like John Simmons, this post would be less sarcastic and more to the point.
-
I would NEVER pay for a program that would not start if I was not online! - Anders Money talks, but all mine ever says is "Goodbye!"
The app will only need to be online during initial install and also during any updates. I will then check to see when you are connected and use that to also call home. Also my app is designed to be run on a LAN so a always on connection will be the norm not the exception. Thanks for your opinion Darroll
-
Write an application that is so great your users believe you must be a coding god. Now, who would withhold a coin from god? :cool: The biggest loophole in all copyprot schemes are users you scare away. IMO 20 digit-or-letter serials, as they are common today, are an insulting discrespect of the user. Everybody who does more than casual software administration will aggree probably find stronger words. A good copyprot scheme starts with a look at the product to be protected. Each product has different users (if it's only beancounters, there's no use for a copyprot as you suggest), has different market and hazard exposure (e.g. beancounters just need a license agreement that looks scary), different distribution channels (who gets a hand on your final product anyway?), and "cracker attractiveness". and the skills of "good assembler programmers" are way overrated. Just because some companies make zillions with bogus protection schemes (if it comes in a DLL, forget it) doesn't mean you can keep a cracky busy for longer than he enjoys. They are good at certain things. bad at others.
skulls don't kiss a machito [sighist]
I was hoping by locking an app to a MAC address will keep me from developing a 200 digit 3,000,000 bit product key. Even the 20 digit codes are just passed around any ways. Darroll
-
1. Please do not cross post. It is sufficient to post a question in one forum only. Everyone who feels like answering it will answer it. 2. This question is better suited for the General Discussions forum, since it relates to programming in a way, though it's not about any particular language (hence you'd be better off in the General Discussions forum instead of any language forum, you'll get a larger audience.) 3. If the registration fails it's better IMO to give a chance to buy and register the app. Don't delete it in the background. That's cheating! 4. Don't use checks like
if(IsRegistered()){...}. A cracker can easily change it toif(TRUE){...}. 5. Do the checks in as many different ways, at as many different times and in as many different locations as possible, even in places that have nothing to do with protection or "registered or trial/demo access", so that even if the cracker manages to patch it in some places, he will have to do a lot of work to patch them all, and even then he can't be sure he did them all (he thought he finished them when suddenly your app decides to check the registration status because it's 1st April).
Regards,Rohit Sinha
1+2) if I only posted to General then no one would have responded. Even you decided to post here instead of the General forum. I think posting here was the best. IMO. 3) Even if they would like to buy it I would still get them to go back and download the latest version. I would definatly remove the key components to the app. 4) What do you suggest I use? 5)Good idea. My thought would be to have several dlls that always get updated even if not out of date that have checks in them. This way if they wanted to use a cracked version they could never go online while running my app, they will more than lickly be using an always on connections. Or just run checksums on everything. Thanks for your input Rohit! Darroll
-
Since my app is only distributed via the web they must have internet access.
Oh, and by the way why do you have two accounts? Why waste time learning when ignorance in instantaneous -Hobbes
-
Oh, and by the way why do you have two accounts? Why waste time learning when ignorance in instantaneous -Hobbes
2 accounts? is that possible?
-
I am trying to develop an anti-pirating scheme. Ok I know that a good assembler programmer can crack just about anything, but here is my thought. Have the installer only install a registration and update app. Upon registering, where you grab and record the MAC address and other info, you allow them to download the remaining files to their computer. Then every time they run the app you both check for updates and confirm their registration against their MAC address. If there are updates then you just download them. If there registration fails you start deleting their application in the background. If they replaced their NIC or simply get a new computer a quick reinstall of your app reregisters it to the new NIC. This would effectively only allow one copy of your program to function per registration. So what do you think? I am sure there is a hole in the process somewhere. But, imho, a little incontinence to the customer when they switch out a NIC is nothing compared to having only one working copy per registration. Please comment on this. I need feedback before I go about designing this. Thanks Darroll
-
What if someone doesn't have a network card? IE: they connect via a modem, or a USB DSL/Cable modem?
Good catch, I could hope that all of my customers would have a NIC. (I am targeting LANS) I will look into generating some other info Say the computer name and other rarely changed items. Even if they aren't used the majority of newer computers have LAN cards. Thanks! Darroll
-
I am trying to develop an anti-pirating scheme. Ok I know that a good assembler programmer can crack just about anything, but here is my thought. Have the installer only install a registration and update app. Upon registering, where you grab and record the MAC address and other info, you allow them to download the remaining files to their computer. Then every time they run the app you both check for updates and confirm their registration against their MAC address. If there are updates then you just download them. If there registration fails you start deleting their application in the background. If they replaced their NIC or simply get a new computer a quick reinstall of your app reregisters it to the new NIC. This would effectively only allow one copy of your program to function per registration. So what do you think? I am sure there is a hole in the process somewhere. But, imho, a little incontinence to the customer when they switch out a NIC is nothing compared to having only one working copy per registration. Please comment on this. I need feedback before I go about designing this. Thanks Darroll
- Mac addressed can be spoofed, and changed. What happens when someone upgrades their NIC, or their VPN / Dialup hands out new Mac addresses? "Incontinence" has to do with being unable to control themselves (this is what babies do) - you can *bet* the user will piss their pants when you delete stuff!! 2) Why stop with deleting the app, go ahead and delete the entire harddrive. After all, you've just equated someone who's connection failed with terrorism, so it's quite all right. 3) What happens when your web site is not reachable, for example, you forgot to pay your bill, the co-lo lost power, someone cut the trunk line, or maybe your DNS got hacked? 4) Re-installing with the orignal key just defeats your entire scheme, and at the same time, causes a complete denial-of-service to the orignal owner (quick, catch the license as it hops from system to system! NetBunny!!) 5) A cracker will simply block your program from connecting, or find the back door you put in. 6) Needless to say, the entire scheme can open you up to a wad of lawsuits if you start deleting things from a legit user who's machine was accessed by someone else (such as in the office) If you're that worried about someone swiping a shareware progam, I strongly suggest you not release it, since that way nobody will pirate it. Or you can do the smart thing and (gasp) *trust your users* by offering a good product at a fair price. I would just junk the entire concept of "all users are stealing from me" that your scheme's mental model has and go the much saner route that a lot of vendors have been using for years with great success - downloads of upgrades are only available for registered users (v1.00 is online for trialware, buy now and get the 1.02 upgrade). If the download is from say more than 5 ip addresses in a given 24 hour period, nuke the key and email the orignal buyer. This way you *REWARD* legit users.
Visual Studio Favorites - improve your development! GUIgui - skin your apps without XP
-
- Mac addressed can be spoofed, and changed. What happens when someone upgrades their NIC, or their VPN / Dialup hands out new Mac addresses? "Incontinence" has to do with being unable to control themselves (this is what babies do) - you can *bet* the user will piss their pants when you delete stuff!! 2) Why stop with deleting the app, go ahead and delete the entire harddrive. After all, you've just equated someone who's connection failed with terrorism, so it's quite all right. 3) What happens when your web site is not reachable, for example, you forgot to pay your bill, the co-lo lost power, someone cut the trunk line, or maybe your DNS got hacked? 4) Re-installing with the orignal key just defeats your entire scheme, and at the same time, causes a complete denial-of-service to the orignal owner (quick, catch the license as it hops from system to system! NetBunny!!) 5) A cracker will simply block your program from connecting, or find the back door you put in. 6) Needless to say, the entire scheme can open you up to a wad of lawsuits if you start deleting things from a legit user who's machine was accessed by someone else (such as in the office) If you're that worried about someone swiping a shareware progam, I strongly suggest you not release it, since that way nobody will pirate it. Or you can do the smart thing and (gasp) *trust your users* by offering a good product at a fair price. I would just junk the entire concept of "all users are stealing from me" that your scheme's mental model has and go the much saner route that a lot of vendors have been using for years with great success - downloads of upgrades are only available for registered users (v1.00 is online for trialware, buy now and get the 1.02 upgrade). If the download is from say more than 5 ip addresses in a given 24 hour period, nuke the key and email the orignal buyer. This way you *REWARD* legit users.
Visual Studio Favorites - improve your development! GUIgui - skin your apps without XP
First I am only batting around ideas. I have not even started coding yet. The problem with trusting users is that there is a crack for just about every APP. If you cannot find a crack you aren't looking hard enough. Cracked programs is a million dollar buisness in a mojority or eastern European countires. When I went to Bosnia there was a CD shop on every corner. Each cd was $5. So for $5 I would always have the latest software. The only non cracked software is one that no one wants. I am not saying I will come up with a better solution but not even trying means you don't care if someone steals from you. The upates will be released by the hackers in less than a week. This leads me to beleive that a web based checking utility is the least hackable solution out there. If you require your app to call home say once a quarter you can track how many copies are out there and which reg key has leaked. You could have the install program register the key to that computer and lock out any other installs. Then unregister during uninstall. Remember just thoughts. The idea is to trust your customers but to make it so that it is as difficult to pirate as possible. Darroll
-
First I am only batting around ideas. I have not even started coding yet. The problem with trusting users is that there is a crack for just about every APP. If you cannot find a crack you aren't looking hard enough. Cracked programs is a million dollar buisness in a mojority or eastern European countires. When I went to Bosnia there was a CD shop on every corner. Each cd was $5. So for $5 I would always have the latest software. The only non cracked software is one that no one wants. I am not saying I will come up with a better solution but not even trying means you don't care if someone steals from you. The upates will be released by the hackers in less than a week. This leads me to beleive that a web based checking utility is the least hackable solution out there. If you require your app to call home say once a quarter you can track how many copies are out there and which reg key has leaked. You could have the install program register the key to that computer and lock out any other installs. Then unregister during uninstall. Remember just thoughts. The idea is to trust your customers but to make it so that it is as difficult to pirate as possible. Darroll
The problem is, people that use cracks seldom buy something if they can't crack it. You are talking about going through an awful lot of work for very little potential revenue. The part you forget about going to bosnia is that the average person probably makes is about $194 a month, with an unemployment rate of well over 70%. Most people simply couldn't afford your software even if they WANTED to buy it. This isn't a rationale for pirating at all, I'm just pointing out that it's unlikely that all the effort and cost you put into such a scheme will likely not gain you much extra money, and combined with the number of customers you lose may actually LOSE you money. You say you're targeting businesses anyways. What you probably want is a mechanism that encourages registration rather than requires it, such as access to updates (this works pretty well for a lot of products). Also, consider the issue that if I'm installing your program on 100 machines, I don't want to have to download from your server 100 times just to activate the program (even Microsoft provides a way around that). Many companies do not allow their end-users access to the internet *AT ALL*. -- Where are we going? And why am I in this handbasket?
-
The problem is, people that use cracks seldom buy something if they can't crack it. You are talking about going through an awful lot of work for very little potential revenue. The part you forget about going to bosnia is that the average person probably makes is about $194 a month, with an unemployment rate of well over 70%. Most people simply couldn't afford your software even if they WANTED to buy it. This isn't a rationale for pirating at all, I'm just pointing out that it's unlikely that all the effort and cost you put into such a scheme will likely not gain you much extra money, and combined with the number of customers you lose may actually LOSE you money. You say you're targeting businesses anyways. What you probably want is a mechanism that encourages registration rather than requires it, such as access to updates (this works pretty well for a lot of products). Also, consider the issue that if I'm installing your program on 100 machines, I don't want to have to download from your server 100 times just to activate the program (even Microsoft provides a way around that). Many companies do not allow their end-users access to the internet *AT ALL*. -- Where are we going? And why am I in this handbasket?
As I stated earlier, the main problem I am trying to combat is the company that pays for one copy then installs it on several machines. There have been several cases of companies buying one license of say AutoCAD and installing it on over a 100 machines. How to stop those is my main quest. Not stopping a user who would never pay for my app to begin with from using it. What are your thoughts on how to stop office piracy? Darroll
-
As I stated earlier, the main problem I am trying to combat is the company that pays for one copy then installs it on several machines. There have been several cases of companies buying one license of say AutoCAD and installing it on over a 100 machines. How to stop those is my main quest. Not stopping a user who would never pay for my app to begin with from using it. What are your thoughts on how to stop office piracy? Darroll
Well, you're not going to stop office piracy by forcing them to open up all their desktops to the internet. You're not going to stop it by forcing their admins to download patches individually to all machines. All that will do is force them into buying someone elses product (assuming one exists) or doing without. Unless you happen to be in the rare case where a company cannot do without your software on each and every machine, it will hurt you more than help. You have to consider customer good will in the equation. In most cases, simply making it more work than it is worth is sufficient to curb office piracy. Further, businesses are at a much higher risk for legal repurcussions than individuals if a BSA raid occurs. It's a stupid business that knowingly pirates software, especially in large quantities since some disgruntled employee will likely eventually turn them in. Your best bet is simply to provide both an internet and phone based authentication system, based on date/time so that the key cannot be used again later. Sure, pirates will be able to crack this, possibly even create a keygen, but most people really have no idea how to track that kind of stuff down. Only the determined people, who probably wouldn't buy it anyways will tirelessly track down a crack. -- Where are we going? And why am I in this handbasket?