I have a program that I would like to make as hard as possible to pirate. I have a good start on what I could do, but ran into a problem. I was going to add subscribers manually, and then log their IP address. My program would then do random checks to see if the person who logged in was in fact from the logged IP address. If not, the program would stop working. I was thinking about it a little more, and then I realized one person could just register under a proxy server's IP and then give anyone the chance to login under their credentials. Can someone help me improve my idea, or give me a better way to go?
and then what happens if the digital subscriber is on a dialup connection? the ip changes every time they log on. maybe try storing valid keys in a central database and when they register, delete the key making it impossible for the same key to be used twice. though this will require an internet connection at the time of registration but it's a price that you would have to pay i suppose.
Good Idea. Is MS Access secure enough to hold such a key? Also, if it's deleted, then how do I make a reference to it in my online login system? I'm looking for checking based on a few days each month, not just a one time thing. I've seen how good Photoshop's one-time check has done for itself.
I am confused by your request... are you trying to stop people from sharing their access or pirating the program itself? I know PHP can be a little flaky but any serverside script should not be visible to users and therefore cannot be pirated anyway. Sharing accounts is more difficult because things like IPs are not static and many people have access to more than one pc
hey just wanted to add something.. i had a similar idea long back...of creating a user login based system..but that which wont allow people from sharing their accounts...i am still in pursuit of it.. is it possible?of not IP..can we program such that from the same user..he cant login from multiple IP at the same time? it seems zac and myself are on the same boat ;-)
This is for a Windows-based program. It will require a connection to the internet, and more specifically my Web Server around 3 times a month. It would do these checks in the background while the user is connected, it wouldn't impose an internet connection on the user. If no internet connection was given in a month, it'd shut down. I will try the key idea. Thanks!
MS Access is definitely not secure enough to hold such a key. What I would do is build a 1key to 1person online and force the user to be online to use the applicaiton. the key is every used more than once at the same time, the key is useless and set to banned. No matter what, hackers can get in (no matter what) so I would just do the best you can, put in minutely checks and verifications, use 1-way hashes, and do NOT push out a Trial can be Full via Serial. Physically make 2 versions, one version that can do everything, and one version that is crypled, so no matter what they try, they can't activate or enable the shareware version.
a stole key could be used, until the second that 2 people are logged in using the same key at the same time.... then the key is invalid. I would enforce to be online, and enforce a valid key. Also, make sure NOT to use an algorithm to generate the keys, if you can generate them manually or with random alphanumeric char generators would be best. then a Keygen could not be created
^^^ MAC addresses are entirely clonable. Geez, most routers have the cloning feature 'built in' so they can clone your NIC with the click of a button. Seriously, if it were me (and I am in the same situation at the moment and this is what I did), I'd just pick an online licensing provider and let them deal with it (they give you a DLL and away you go). Now admittedly they may not do all the checks and balances that you feel are necessary but then again, their code is their bread and butter, so... Something like regnow should do the trick.
Here's a way: Instead of a Serial, ask them for a Username/Password everytime. Then the Serial can be generated via a combination of Username and MD5'd Password. This "Token" can be SSL Transfered to Live WebService which validates and make a handshake to authenticate the user, both hashed passwords... It works because that's what I'm doing and it's beautiful - 1 way hashed passwords encrypted on the wire over SSL making handshake is a nice way to do it... and when you gothrough webserivce first... theirs no connection to the DB either
Very interesting. What did you code that in? This is actually what I was planning to do, or something similar.
How is asking for a username/password and comparing the hash of the two concatenated to one on the "home" server different from having a unique serial in the app to compare to? Just annoys the user...
Serials are usually made with algorithms. Usernames and passwords would be set by me. This way, it would be hard to try and 'brute force' something in which you can not have a 'trial and error' type scenario. I would use cookies, so it wouldn't be annoying. Putting in a username and password once or twice a month isn't too much to ask for I don't think. I like the idea, I'm trying it out.
You can "set" your own serials too, but oh well, I guess it is not too painful for users as you said.
I built it in vb.net 2005 and .Net webservice. Both use MD5 1-way hash but you could use SHA1 too. It might be annoying to supply the U/P every time but this way you enforce authentication securely every time.
hm..but the Live server..it will have to be Up? if it goes down..the authentication system goes down rite? ccoonen? And it would need to have awesome bandwidth for this thing..as its encrypted..which means additional header and packets..rite?