BorlandTalk.com Borland discussion newsgroups   Archives   FAQ   Search   Memberlist   Usergroups   Register   Profile   Log in to check your private messages   Log in  piracy protection Goto page 1, 2, 3  Next          BorlandTalk.com Forum Index -> C++ Builder (Non-Technical) View previous topic :: View next topic   Author Message Jonathan Benedicto Guest Posted: Wed Feb 22, 2006 7:03 pm    Post subject: piracy protection Basically what I'm concerned about is a business buying one copy of my program, and then installing it only all of their computers. How would I fix this ? Jonathan Back to top Jonathan Benedicto Guest Posted: Wed Feb 22, 2006 8:03 pm    Post subject: Re: piracy protection Dennis Jones wrote: Quote: The solution I've used is (basically) to combine a pseudo-unique ID and a random number into a "site code" that is used to generate a "site key" which is then used to unlock the software. Thank you very much for this info. I'll have to think this through, but it may be the solution I've been looking for. Jonathan Back to top Dennis Jones Guest Posted: Wed Feb 22, 2006 8:03 pm    Post subject: Re: piracy protection "Jonathan Benedicto" <invalid (AT) nobody (DOT) com> wrote in message news:43fca2e4$1 (AT) newsgroups (DOT) borland.com... Quote: Basically what I'm concerned about is a business buying one copy of my program, and then installing it only all of their computers. How would I fix this ? The most effective way to prevent piracy is to use hardware dongles. But assuming you are looking for a software-only solution, there is no fool-proof method since any software solution can be circumvented by a clever hacker. Most of the time however, all you really need to do is avoid tempting users with a scheme that is too easy to defeat. If you do that, then most users won't bother wasting their time and will just pay for a license. The solution I've used is (basically) to combine a pseudo-unique ID and a random number into a "site code" that is used to generate a "site key" which is then used to unlock the software. The "site key" will only unlock the software on the computer that actually generated the "site code" because of the pseudo-unique ID. I call it "pseudo-unique" because there really is no good way to get an absolutely unique ID from every computer (which I believe has been discussed in your "product id" thread). Basically, the unique ID *mostly* prevents users from using a single "site key" to unlock multiple machines. In the case where they have identical hardware and configuration setups, this *could* result in duplicate pseudo-unique ID's on several computers, and so you need to go a bit further. Adding a random number prevents two or more machines from generating the same "site code" (even if they have the same ID) and therefore prevents them from being unlocked with the same "site key." Of course, you may have to worry about disk duplication, where a company installs and unlocks the software on one machine, then duplicates the hard disk for all of their other machines. If all of the machines have the same "unique" ID, there is nothing to prevent them from running your software on every machine they own. But as long as the machines have different ID's, even disk duplication won't work, because the software tests the "site key" every time it runs to make sure it is valid. If the machine's ID doesn't match up with the "site key," the software won't run. There is bit more to it than that (of course!), but that's what I do in a nutshell. - Dennis Back to top Alisdair Meredith[TeamB] Guest Posted: Wed Feb 22, 2006 9:03 pm    Post subject: Re: piracy protection Dennis Jones wrote: Quote: The most effective way to prevent piracy is to use hardware dongles. I can't speak for modern dongles, but with the old serial port dongles this was nothing but a myth designed to give the illusion of security. As the dongle is 'hardware' it clearly can't be cracked/duplicated, so don't even bother trying ... The semi-software lierate realise that the way to hack a dongle is pretty much teh same as any other software. In this case you hack the driver, which is simply another piece of software. So bad dongles are probably better than bad software protection, but should be no more effective and considerably more user-hostile than good software protection. I suspect modern USB dongles can be considerably more effective by implementing program functionality inside the dongle itself. That way you have to do more than hack the driver, but also supply the mssing functionality that is hidden inside the dongle. Selecting functions throughout the codebase should render the dongle indispensible, at the expense of incorporating the dongle deep into your development and rendering the ptotected functions unpatchable without replacing hardware. Of course, you could just go with the illusory security model of persuading your clients you have a 'smart' dongle, so they are never tempted to hack it. Although I wonder how much you want to be doing business with people who are prepared to reverse engineer and hack your software in order to steal from you in the first place. Another trade-off with dongles is how many sales do you lose from potential customers who simply refuse to have one of those wretched things connected to their PC? Is that more than the number of sales you are likely to gain from thwarted thieves? The answer to that question varies greatly with the value of your software and size of your target market. -- AlisdairM(TeamB) Back to top Tamas Demjen Guest Posted: Wed Feb 22, 2006 9:03 pm    Post subject: Re: piracy protection Jonathan Benedicto wrote: Quote: Basically what I'm concerned about is a business buying one copy of my program, and then installing it only all of their computers. How would I fix this ? Here's my opinion. Those who buy your product want to save time. If it takes days or weeks to crack it, they won't save anything. I don't think the majority of professional developers want to use cracked software for development. A few will try to do that, but you have to accept that fact. Unless your protection is trivial to crack, most of the customers won't tamper with it. The real problem is those hackers who crack for pride. They crack so that they can brag about it. There's even a competition among them, who can supply the latest version of a hit product sooner. However, they try to find popular software packages to crack, stuff that sell a million copies. WinZIP is a good example. They rarely crack niche applications, because there's not too much interest in them. If they do, they target famous products. So they either crack those popular consumer applications, or the huge million dollar CAD systems used by NASA and airplane manufacturers, because those types of things give ground for bragging. I bet wares junkies who download those cracks don't design airplanes, they just burn it on their CD collection. It's like collecting stamps. If a determined person wants to crack your product, they'll do it, even if you require a dongle. A dongle itself can't be hacked cost effectively, but it has a software layer, a device driver, which can be substituted with something that emulates the hardware piece. The best you can do is to add several invisible layers of protection. Hackers mostly care about removing the "You're not authorized to run this application" message box. If the application starts up properly, they think it's cracked. Make it so that if the obvious part of the protection gets removed, other parts of the protection are still lurking in the background, which gives a hard time to the user. You can't legally do any damage to the user's computer or files, don't even think about going that far, but you can break features and reduce your performance. If they don't immediately see that there is a protection, they'll assume there's none. It's especially true if you make parts of the protection based on a random timer. Hackers hate delayed effects, because they can't debug it. If you set a flag that triggers something an hour later, they won't understand why it behaves erratically. They think they cracked it, and didn't expect something to be surface some time later. Just be careful not to make the protection buggy. You don't want to cause a grief to valid users. You don't want registered users experience broken behavior due to badly implemented protection. I can compare that to a security system that goes off accidentally and you find yourself in the back seat of a police car, because a family member or your boss changed the password without your knowledge (I've heard such stories). Believe me, you don't want to make a protection so complex that it goes off accidentally, giving a false alarm. Tom Back to top Dennis Jones Guest Posted: Wed Feb 22, 2006 9:03 pm    Post subject: Re: piracy protection "Jonathan Benedicto" <invalid (AT) nobody (DOT) com> wrote in message news:43fcbc62$1 (AT) newsgroups (DOT) borland.com... Quote: Dennis Jones wrote: The solution I've used is (basically) to combine a pseudo-unique ID and a random number into a "site code" that is used to generate a "site key" which is then used to unlock the software. Thank you very much for this info. I'll have to think this through, but it may be the solution I've been looking for. You're welcome. Go ahead and think through it and let me know if you need more help -- it's definitely not trivial to implement a workable solution. There are several things to keep in mind that can help undermine the attempts of would-be cheaters. - Dennis Back to top Michael McCulloch Guest Posted: Wed Feb 22, 2006 9:03 pm    Post subject: Re: piracy protection On Wed, 22 Feb 2006 12:44:14 -0500, "Jonathan Benedicto" <invalid (AT) nobody (DOT) com> wrote: Quote: Basically what I'm concerned about is a business buying one copy of my program, and then installing it only all of their computers. How would I fix this ? My opinion is that locking a registration to a particular hardware configuration is a very poor choice. As an embedded engineer this type of registration caused me nothing but grief. During the process of debugging I often needed to switch computers and any tool that locked the registraiton to hardware became an albatross. I change hardware in my own computers on nearly a yearly basis and I don't have time to contact every damn vendor for a new key when I change a hard drive. If you really want to limit a single registration to one use at a time, then sell a hardware dongle with it. There are USB based options now that aren't too intrusive. I really don't care for those either, but at least it gives >>me<< the ability to select my choice of debugging platform. Alternately, and it may be more work, have your app call home after the install to become enabled and record some unique info about the copy of the software and the machine on which it was installed. Then filter the database based on abuse criteria as you desire and lock out registrations that indicate abuse. This is more work, but you will score points with the majority of honest users. A simple system based on this would be to issue keys based on a user name. When the end user enters the user name/key pair, your app calls home with that data plus some unique hardware id from the computer as you choose. Really you'd probably be ok with just recording ip addresses to identify abusers -- if the same ip address shows say more than 3 to 5 installs, then you probably have found abuse -- or if the same user name/key pair is registered across more than 3 different ip addresses you probably have abuse. Set up your "call home" server with some set of reasonable rules for the "call home" count and disable user name/key pairs that show abuse. Then let the customer contact you with a reason why his key should be reenabled when the next install fails. You could probably also have the "call home" count reset if it has been a couple of years or so since the last install as that would indicate the legit user most likely has upgraded his computer or network. --- Michael McCulloch Back to top Dennis Jones Guest Posted: Wed Feb 22, 2006 11:03 pm    Post subject: Re: piracy protection "Alisdair Meredith[TeamB]" <alisdair.meredith@no-spam-splease (AT) uk (DOT) renaultf1.com> wrote in message news:43fcc8ce (AT) newsgroups (DOT) borland.com... Quote: Dennis Jones wrote: The most effective way to prevent piracy is to use hardware dongles. I can't speak for modern dongles, but with the old serial port dongles this was nothing but a myth designed to give the illusion of security. As the dongle is 'hardware' it clearly can't be cracked/duplicated, so don't even bother trying ... The semi-software lierate realise that the way to hack a dongle is pretty much teh same as any other software. In this case you hack the driver, which is simply another piece of software. This would be true for a naive use of dongles (merely checking for existence, or simply retrieving data from it). In such a case, you probably don't even need to go to that extent -- you could just intercept the call to the driver. In that case, you're absolutely right...hacking the dongle isn't any more difficult than hacking the software in an effort to circumvent the need for the dongle (or even its driver) at all. But, as you have correctly stated, the real beauty of a dongle is that you can store executable code in it, without which the application is rendered useless. If the dongle has the ability to execute code internally (as opposed to simply copying the code from the dongle into the application's memory), there is little a hacker can do, short of figuring out exactly what that code does and find a way to replicate it. Not an easy task! - Dennis Back to top Jonathan Benedicto Guest Posted: Thu Feb 23, 2006 2:03 am    Post subject: Re: piracy protection Tamas Demjen wrote: Quote: Again, I'm assuming you don't want an impossible-to-crack security level. For that you'd have to put parts of your program on silcon. Would floppy-disks do ? :-) Jonathan Back to top Jonathan Benedicto Guest Posted: Thu Feb 23, 2006 2:03 am    Post subject: Re: piracy protection Thank you all for your responses. A lot for me to think over and figure something out. Jonathan Back to top Tamas Demjen Guest Posted: Thu Feb 23, 2006 2:03 am    Post subject: Re: piracy protection Michael McCulloch wrote: Quote: My opinion is that locking a registration to a particular hardware configuration is a very poor choice. As an embedded engineer this type of registration caused me nothing but grief. Pretty much so. And when customers call that they upgraded their computer, you can't verify that -- they may just get a free copy every other month, by calling in that something has changed. I would only use the unique hardware-based ID to identify the number of copies being launched by the user. If they have a 5-computer license, for example, they can run a maximum of 5 copies, on any computer they want. They can even install the progam on 100 computers, only they shouldn't be able to run more than N number of licenses concurrently. The application could periodically report back to the central server for authentication. Yes, the server can be redirected to a bogus service by editing the hosts file, but that's why digital signatures are invented. Every communication has to be authenticated. SHA1 is a good algorithm, although it's impossible to hide the secret key perfectly. The question is how many people will actually try to tamper with it, when they know that your application communicates with your server. If you really wanted, you could catch some of the cheater. You could use a secondary IP address to report just once a month, which the crackers may overlook. So the application may appear to work fine at first with the redirected bogus authentication server, but it would still have occasional communication with a secondary server, for which the hackers have no redirection. They'd have to disconnect from the Internet to prevent detection, but what a hassle that is. Honestly, if 1% of the customers are cheating, that shouldn't hurt your sales that much. Dongles are also good, but they cost $50 + they must be physically shipped. They're only cost effective with expensive software. Again, I'm assuming you don't want an impossible-to-crack security level. For that you'd have to put parts of your program on silcon. Tom Back to top Jonathan Benedicto Guest Posted: Thu Feb 23, 2006 3:03 am    Post subject: Re: piracy protection Jeff Douglass wrote: Quote: I had the same problem because I sell my SW to places like india and china. I initially used the SW approach but that turned out to be a big pain in the As*. I had customer calling years later stating that the sw had to be installed on a new machine due to a failure. I eventually went to a HW dongle approach provided by Aladen SW's HASP key and I love it. I highely recommend this approach. It is without the quickest and easyest way to achieve what you are lookin for. BTW, I do not work for, or associated with them in any way. Thank you for this info. I think that I'm going to go the SW way for now, maybe later on I'll use a dongle approach. Jonathan Back to top Alan Bellingham Guest Posted: Thu Feb 23, 2006 3:03 am    Post subject: Re: piracy protection "Jonathan Benedicto" <invalid (AT) nobody (DOT) com> wrote: Quote: Would floppy-disks do ? *Grin*. Shame that modern PCs don't have them. Alan Bellingham -- Team Thai Kingdom <url:http://www.borland.com/newsgroups/> Borland newsgroup descriptions <url:http://www.borland.com/newsgroups/netiquette.html> netiquette Back to top Jonathan Benedicto Guest Posted: Thu Feb 23, 2006 3:03 am    Post subject: Re: piracy protection Alan Bellingham wrote: Quote: *Grin*. Shame that modern PCs don't have them. How modern ? My Celeron P3 1.2Ghz has one :-) Jonathan Back to top Jeff Douglass Guest Posted: Thu Feb 23, 2006 3:03 am    Post subject: Re: piracy protection I had the same problem because I sell my SW to places like india and china. I initially used the SW approach but that turned out to be a big pain in the As*. I had customer calling years later stating that the sw had to be installed on a new machine due to a failure. I eventually went to a HW dongle approach provided by Aladen SW's HASP key and I love it. I highely recommend this approach. It is without the quickest and easyest way to achieve what you are lookin for. BTW, I do not work for, or associated with them in any way. Jeff Douglass Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         BorlandTalk.com Forum Index -> C++ Builder (Non-Technical) All times are GMT Goto page 1, 2, 3  Next Page 1 of 3   Jump to: Select a forum C++ Builder Newsgroups----------------C++ BuilderC++ Builder (ActiveX)C++ Builder (Announcements)C++ Builder (Command Line Tools)C++ Builder DatabasesC++ Builder Databases (ADO)C++ Builder Databases (Desktop)C++ Builder Databases (InterBase Express)C++ Builder Databases (Multi-Tier)C++ Builder Databases (SQL Servers)C++ Builder (Graphics)C++ Builder (IDE)C++ Builder (Internet)C++ Builder (Internet Socket)C++ Builder (Internet Web)C++ Builder (Jobs)C++ Builder (Language)C++ Builder (Language C++)C++ Builder (Compatibility with MFC)C++ Builder (Native API)C++ Builder (Non-Technical)C++ Builder (Students)C++ Builder (Third Party Tools)C++ Builder (Upgrade)C++ Builder (VCL)C++ Builder (VCL Components Usage)C++ Builder (VCL Components Development)C++ Builder (VCL Usage)C++ Builder (WinAPI)C++ Builder Installation Delphi Newsgroups----------------Delphi (General)Delphi ActiveX Controls UsageDelphi ActiveX Controls DevelopmentDelphi As400Delphi DatabasesDelphi Databases (ADO)Delphi Databases (dbExpress)Delphi Databases (Desktop)Delphi Databases (InterBase Express)Delphi Databases (Multi-Tier)Delphi Databases (SQL Servers)Delphi DeploymentDelphi GraphicsDelphi IDEDelphi InternationalizationDelphi InternetDelphi Internet Isapi-WebBrokerDelphi Internet WebSnapDelphi Internet WinsockDelphi JobsDelphi Language BASMDelphi Language ObjectPascalDelphi Model Driven Architecture (General)Delphi Model Driven Architecture (Third Party)Delphi MultimediaDelphi Native APIDelphi Non-TechnicalDelphi ObjectPascalDelphi OLE AutomationDelphi OO designDelphi OpenToolsAPIDelphi Reporting-ChartingDelphi RTLDelphi StudentsDelphi TeamSourceDelphi Thirdparty ToolsDelphi Thirdparty Tools (General)Delphi Thirdparty Tools (IntraWeb)Delphi Thirdparty Tools (RaveReports)Delphi UpgradeDelphi VCLDelphi VCL ComponentsDelphi VCL Components UsingDelphi VCL Components WritingDelphi WebServices SOAPDelphi WinAPIDelphi XMLDelphi Installationcomp.lang.pascal.delphi.components.misccomp.lang.pascal.delphi.components.usagecomp.lang.pascal.delphi.components.writingcomp.lang.pascal.delphi.databasescomp.lang.pascal.delphi.misccomp.sources.delphi JBuilder Newsgroups----------------JBuilderJBuilder AnnouncementsJBuilder Applet IssuesJBuilder As400JBuilder CompilerJBuilder CORBA/RMIJBuilder DatabasesJBuilder DB SwingJBuilder DebuggerJBuilder DeploymentJBuilder DocumentationJBuilder EnterpriseJBuilder HandheldJBuilder IDEJBuilder JavaJBuilder JavaAPIJBuilder Java LanguageJBuilder Java SwingJBuilder Java BeansJBuilder Java Beans UsageJBuilder Java Beans DevelopmentJBuilder JBCLJBuilder JDataStoreJBuilder JobsJBuilder LinuxJBuilder MacintoshJBuilder & MobileSetJBuilder MultiLingual AppsJBuilder Non-TechnicalJBuilder OpenToolsJBuilder Servlets (JSP)JBuilder StudentsJBuilder Team DevelopmentJBuilder Thirdparty ToolsJBuilder UpgradeJBuilder Installation InterBase Newsgroups----------------InterBaseInterBase Bug DiscussionInterBase GeneralInterBase IBConsoleInterBase OpenSourceInterBase ReplicationInterBase SQLInterBase ThirdpartyInterBase Installation Miscellaneous Borland Newsgroups----------------AppCenterAppServerEnteraVisiBroker  You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Powered by phpBB © 2001, 2006 phpBB Group SEO toolkit © 2004-2006 webmedic.