What is the best way to handle my softwares licenses? [closed] - licensing

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
By best I mean more time tested, easier to implement and easier for the users to work with. I do not want my licensing crap to interfere with their work.
I was thinking of launching a WCF service that check with my license DB if it's a valid license and if it is, send a True.
If the returned response is False, then shut down the program after telling them to fix their license.
Do you think this is a good way to handle it?

You will need to develop or find an algorithm that creates sufficiently complex strings for your license keys.
Generate the license key based on some bit of information unique to a user, like their E-Mail address.
Your program would then require the user to enter their E-Mail address and license key. It would then ensure the license key is correct by running the same algorithm you did to generate it in the first place.

The approach i have used in the past is a simple one but effective. I generate about a 1000 keys to my software and run them through a hashing algorithm. I then include them within my program (maybe as an array which takes up little space)
I then give out one unique key of the 1000 generated to each customer and when they enter that into my software it is hashed with the same hashing algorithm and compared against the included hashes. If it compares true you are registered so save it in your config file.
Every so often i update the program by another build number and recreate the keys and hashes included in that build. You just have to keep track of what keys go with what build, but you can control this with a nice database, etc.
Never had any trouble with this system as it can all be fully automated.

You could try generating license keys strings using the user's name + dob + user-selected-password.
OR
Use the user's h/w serial numbers and give them a license key online post install. I am assuming at this point only one computer per license is allowed.

Pinging the web service will not work if a net connection is not available. You should use a combination of pinging and a grace period. If a customer cannot validate/activate the license within 'X' number of days, THEN you declare it as unlicensed.
Try CryptoLicensing which supports this scenario.

I suggest you take a look at OffByZero Cobalt (obligatory disclaimer: it's produced by the company I co-founded). You're better off buying an existing proven solution than rolling your own.
As we point out in Developing for Software Protection and Licensing:
We believe that most companies would
be better served by buying a
high-quality third-party licensing
system. This approach will free your
developers to work on core
functionality, and will alleviate
maintenance and support costs. It also
allows you to take advantage of the
domain expertise offered by licensing
specialists, and avoid releasing
software that is easy to crack.

Related

Data masking for data in AWS RDS [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 4 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Improve this question
I have an AWS RDS (AuroraDB) and I want to mask the data on the DB. Does Amazon provides any service for data masking?
I have seen RDS encryption but I am looking for data masking because the database contains sensitive data. So I want to know is there any service they provide for data masking or is there any other tool which can be used to mask the data and add it manually into the DB?
A list of tools which can be used for data masking is most appreciated if any for mine case. Because I need to mask those data for testing as the original DB contains sensitive information like PII(Personal Identifiable information). I also have to transfer these data to my co-workers, so I consider data masking an important factor.
Thanks.
This is a fantastic question and I think your pro-active approach to securing the most valuable asset of your business is something that a lot of people should heed, especially if you're sharing the data with your co-workers. Letting people see only what they need to see is an undeniably good way to reduce your attack surfaces. Standard cyber security methods are no longer enough imo, demonstrated by numerous attacks/people losing laptops/usbs with sensitive data on. We are just humans after all. With the GDPR coming in to force in May next year, any company with customers in the EU will have to demonstrate privacy by design and anonymisation techniques such as masking have been cited as way to show this.
NOTE: I have a vested interest in this answer because I am working on such a service you're talking about.
We've found that depending on your exact use case, size of data set and contents will depend on your masking method. If your data set has minimal fields and you know where the PII is, you can run standard queries to replace sensitive values. i.e. John -> XXXX. If you want to maintain some human readability there are libraries such as Python's Faker that generate random locale based PII you can replace your sensitive values with. (PHP Faker, Perl Faker and Ruby Faker also exist).
DISCLAIMER: Straight forward masking doesn't guarantee total privacy. Think someone identifying individuals from a masked Netflix data set by cross referencing with time stamped IMDB data or Guardian reporters identifying a Judges porn preferences from masked ISP data.
Masking does get tedious as your data set increases in fields/tables and you perhaps want to set up different levels of access for different co-workers. i.e. data science get lightly anonymised data, marketing get a access to heavily anonymised data. PII in free text fields is annoying and generally understanding what data is available in the world that attackers could use to cross reference is a big task.
The service i'm working on aims to alleviate all of these issues by automating the process with NLP techniques and a good understanding of anonymisation maths. We're bundling this up in to a web-service and we're keen to launch on the AWS marketplace. So I would love to hear more about your use-case and if you want early access we're in private beta at the moment so let me know.
If you are exporting or importing data using CSV or JSON files (i.e. to share with your co-workers) then you could use FileMasker. It can be run as an AWS Lamdbda function reading/writing CSV/JSON files on S3.
It's still in development but if you would like to try a beta now then contact me.
Disclaimer: I work for DataVeil, the developer of FileMasker.

How can I prevent my legitimate customers from Breaking my license? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
I have a commercial plug-in on top of Visual Studio.
My product is licensed per individual developer, so the developer may make copies on more than one computer, as long as the use of the product is by the same developer.
After a period of time I discovered that many of my customers purchase one developer license and distribute the product over all the team members (and it is not rare case).
I spent many hours (here in StackOverFlow and outside) searching on how to prevent this issue, but I found most of people talk about protecting per-machine license.
My question is how can I prevent my legitimate customers from illegally distribute my product over more machines if I can not restrict them to any number of machines?
Throw my search I get one solution, but I want to ask you if it is acceptable or not?
I can restrict the license per Windows user name, while the customer activate the product for the first time I record the windows username with the product serial number, so he can not run (or even reactivate) the product on any machine with another Window username.
If you purchase any product that licensed per-developer, is this approach is acceptable for you?? (or in the other side this policy may be reduce my sales?).
Best Regards,
You can use many forms of DRM to protect your product. Consider though that you will be hurting and annoying legal owners on occasion. If someone changed computers or reinstalled windows then he will not be able to install your product again. DRMs can also be broken and are usually never worth the time invested in them.
My advice is that you don't try to prevent piracy of your software, since you can't stop it. If you are aware of a specific client that abuses your license, send them a friendly but firm Email requesting they acquire legal licenses for all their copies. Failing that, you might want to pursue legal actions.
All in all, trying to fight software piracy is a lost cause. You might consider other types of licenses that make it easier for a company with multiple developers to acquire your plugin. If you give group discounts they are more likely to pay.
I guess it depends on how the plugin is used. If it's primarily used in an office environment where having computers set up in a windows domain is the de facto standard, then yes, it could be acceptable.
It could become a problem if the developers are used to being able to use the plugin at home on their home computer as well, since the username will probably not match.
Edit: You could perhaps set a limit of 2 usernames per user. That could solve the use-at-home problem.
I'd say trying to bind the license to the windows user name would be sufficient, and somewhat acceptable. In your case you likely don't have any protection against several machines/users/etc. using many copies of your license - making it trivial for several people to use it. Most legitimate people will buy the additional licenses if it becomes non-trivial to do otherwise, binding it to the login name provides easy incentive to get additional licenses.
Just keep in mind:
You can't protect against every way to circumvent licensing.
You don't need fancy license protection, you just need it to be easier
to get an additional license than it is to circumvent the licensing.
Don't make it hard to use a licensed product.
One caveat I have as a sole developer on some projects though, is stuff bound to just 1 machine (or perhaps user account) - I always need 1 additional license for my build server and/or my machine-at-home.
it is very annoying to have to pay for a license for that machine even if it's just me using it - so think about that. For your product, it'd mean I'd have to have at least 2 licenses - one for my work computer, one for my home cumputer (different users/domains).
Invent some kind of setting which everyone will want to have set their own way, and keep that setting value on your server, for a license. If it's the same programmer using the app from three different PCs, he'll have no complaints on that the setting is the same everywhere. (In fact, he'll like it). But different people have different tastes, and people will soon be tired of re-setting the option the way they like it only to later find it reset back to someone else's preference again. They'll think that maybe buying a cheap personal copy instead of going through all this crap is not a bad idea after all.
The more of user preferences you automatically move around, the better it is for a single user and the worse it is for cheaters.
Goerge, what you describe is pretty common in your industry. The battle is lost already. Small companies will not purchase as much license as they should, but bigger ones will eventually respect your licensing terms.
You must adapt your pricing strategy and take in consideration this fact.
Adding more protection will do the inverse, preventing you from getting new customers or keeping the existing ones.
Don't make it hard to use. I have seen bad results, like Blu-ray which almost failed because of so much DRM on them. Some people had to resort to Slysoft Any HD-DVD to play blu-ray because software player that was supposed to play Blu-ray wouldn't play the disc they bought.

Opinions/Discussion on Copy Protection / Software Licensing via phoning home [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I'm developing some software that I'm going to eventually sell. I've been thinking about different copy protection mechanisms, both custom and 3rd party. I know that no copy protection is 100% full-proof, but I need to at least try. So I'm looking for some opinions to my approach I'm thinking about:
One method I'm thinking about is just having my software connect to a remote server when it starts up, in order to verify the license based off the MAC address of the ethernet port.
I'm not sure if the server would be running a MySQL database that retrieves the license information, or what... Is there a more simple way? Maybe some type of encrypted file that is read?
I would make the software still work if it can't connect to the server. I don't want to lock someone out just because they don't have internet access at that moment in time. In case you are wondering, the software I'm developing is extremely internet/network dependant. So its actually quite unlikely that the user wouldn't have internet access when using it. Actually, its pretty useless without internet/network access.
Anyone know what I would do about computers that have multiple MAC addresses? A lot of motherboards these days have 2 ethernet ports. And most laptops have 1 ethernet, 1 wifi and Bluetooth MAC addresses. I suppose I could just pick a MAC port and run with it. Not sure if it really matters
A smarty and tricky user could determine the server that the software is connecting to and perhaps add it to their host file so that it always trys to connect to localhost. How likely do you think this is? And do you think its possible for the software to check if this is being done? I guess parsing of the host file could always work. Look for your server address in there and see if its connecting to localhost or something.
I've considered dongles, but I'm trying to avoid them just because I know they are a pain to work with. Keeping them updated and possibly requiring the customer to run their own license server is a bit too much for me. I've experienced that and it's a bit of a pain that I wouldn't want to put my customers through. Also I'm trying to avoid that extra overhead cost of using 3rd party dongles.
Also, I'm leaning toward connecting to a remote server to verify authentication as opposed to just sending the user some sort of license file because what happens when the user buys a new computer? I have to send them a replacement license file that will work with their new computer, but they will still be able to use it on their old computer as well. There is no way for me to 'de-authorize' their old computer without asking them to run some program on it or something.
Also, one important note, with the software I would make it very clear to the user in the EULA that the software connects to a remote server to verify licensing and that no personal information is sent. I know I don't care much for software that does that kinda stuff without me knowing.
Anyways, just looking for some opinions for people who have maybe gone down this kinda road.
It seems like remote-server-dependent-software would be one of the most effective copy-protection mechanisms, not just because of difficulty of circumventing, but also could be pretty easy to manage the licenses on the developers end.
Remember, if someone wants to pirate your software, they will. Generally, they don't even bother with emulating the license server, they just insert a jmp around all license check code. You can make this more difficult (self modifying code, checks everywhere, code which is not delivered until the license check succeeds, etc), but it becomes a full time job doing license enforcement.
You are trying to stop casual pirates, which is fine. Doing a simple HTTP request to a license server, with the license code and MAC ID in a hash is a legitimate method. Have an easy way to "unregister" computers (its reasonable to move the license amongst machines or to install it on someone's laptop IMO), and don't do a hard lockout once something changes. Decent models are iTunes DRM (5 computers, deauthorization, and a global reset) and Windows (fuzz factor based on how different the computers are).
If the software is not internet accessible or the organization dislikes it, the general practice is to have a license server on customer network which manages the authorization portion. There is established middleware for this already (FlexLM amongst others). Maintaining a license server is a PITA most IT departments balk at, so if you can piggy back on existing infrastructure, the more acceptable your solution becomes.

How do you manage software serial keys, licenses, etc? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
My company is trying to find a tool that will track serial keys for software we have purchased (such as Office), as well as software that we write and sell.
We want software that will allows us to associate a particular computer with the software on that computer and the serial key(s) and license(s) for that software. We'd also like to track history of the computer, such as when software is removed from a computer and moved to another computer.
I've looked around Google and various software sites, but all of the results I've found are for licensing software and creating serial keys, not managing the serial keys that those tools generate. I know this problem has been solved; many companies license software and keep records of the serial keys they generate. So I'm curious if any of you have solved this same problem without writing your own custom software?
Edit: I forgot to mention, I am not asking about the merits of licensing software -- the software we write is not COTS and purchases are controlled at a contractual level. Still, we need to manage how serial keys are generated.
A couple of options (including the one you don't want):
Write your own database for this; Perhaps a simple app using SQLite. (Not very appealing, but not hard either)
You just need an application that lets you create name:value pairs and assign them into groups. A customizable address book would work in a pinch. Each contact could be a program name or a customer name with the license/serial as the data. Then you could group by computer, customer, etc.
This sounds like the classic kind of problem that Access (and programs like it) were designed to solve. You start with access, use it for a couple of years, and then later hire someone to port the data into a custom app when you've outgrown that solution.
I would be extremely tempted to try and use an address book program for this to start. (Note: I'm using Apple's address book program in my mind for referencing features) It allows for custom fields, notes, and groups. The downside is that you have to do more work: searching for part of a serial number to make sure it is not already in use, manually adding a note to two "contacts" indicating the transfer of a license from one to the other.
On the other hand, if the license tracking of your own software is key to your business, it is probably worth your time and money to develop a custom app on top of a SQL database. Write down a list of everything you want to be able to do. Go back and write down any rules or constraints (e.g. can two or more machines have the same license?). The database schema and programming rules will fall right out of that document.
Another idea: programs that track books, dvds, etc. Primarily ones that allow you to keep notes about when you lend them to people.
Take a look at SpiceWorks:
http://www.spiceworks.com/
It does a lot more than just inventory / asset management and is free.
not off-the-shelf, but perhaps a database like MySQL or OpenOffice Base (or Access, bleah)? This sounds pretty simple if you're not looking for many frills; just a couple of tables, e.g. users, computers, software types, license keys, and cross-tables to associate these with each other.
This might be useful, but I have not used it for what you are looking for:
http://www.ezasset.com/i/front.html?page=front_ezindex
There are a number of ways you can handle this - perhaps a license is also considered an asset (not just a computer) and you an group the assets together?
There is a notion of a parent asset and sub assets I think.
It is free for up to 100 assets. Assignment and location are also handled.
My suggestion is PassPack - we use them for password management and they are excellent.
I've used this in the past and been pretty happy with it. The downside is that it runs in FileMaker

Software evaluation licensing [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
My company is looking to start distributing some software we developed and would like to be able to let people try the software out before buying. We'd also like to make sure it can't be copied and distributed to our customers' customers.
One model we've seen is tying a license to a MAC address so the software will only work on one machine.
What I'm wondering is, what's a good way to generate a license key with different information embedded in it such as license expiration date, MAC address, and different software restrictions?
I've used both FLEXlm from Macrovision (formerly Globetrotter) and the newer RLM from Reprise Software (as I understand, written by FlexLM's original authors). Both can key off either the MAC address or a physical dongle, can be either node-locked (tied to one machine only) or "floating" (any authorized machine on the network can get a license doled out by a central license server, up to a maximum number of simultaneously checked-out copies determined by how much they've paid for). There are a variety of flexible ways to set it up, including expiration dates, individual sub-licensed features, etc. Integration into an application is not very difficult. These are just the two I've used, I'm sure there are others that do the job just as well.
These programs are easily cracked, meaning that there are known exploits that let people either bypass the security of your application that uses them, either by cutting their own licenses to spoof the license server, or by merely patching your binary to bypass the license check (essentially replacing the subroutine call to their library with code that just says "return 'true'". It's more complicated than that, but that's what it mostly boils down to. You'll see cracked versions of your product posted to various Warez sites. It can be very frustrating and demoralizing, all the more so because they're often interested in cracking for cracking sake, and don't even have any use for your product or knowledge of what to do with it. (This is obvious if you have a sufficiently specialized program.)
Because of this, some people will say you should write your own, maybe even change the encryption scheme frequently. But I disagree. It's true that rolling your own means that known exploits against FLEXlm or RLM won't instantly work for your application. However, unless you are a total expert on this kind of security (which clearly you aren't or you wouldn't be asking the question), it's highly likely that in your inexperience you will end up writing a much less secure and more crackable scheme than the market leaders (weak as they may be).
The other reason not to roll your own is simply that it's an endless cat and mouse game. It's better for your customers and your sales to put minimal effort into license security and spend that time debugging or adding features. You need to come to grips with the licensing scheme as merely "keeping honest people honest", but not preventing determined cracking. Accept that the crackers wouldn't have paid for the software anyway.
Not everybody can take this kind of zen attitude. Some people can't sleep at night knowing that somebody somewhere is getting something for nothing. But try to learn to deal with it. You can't stop the pirates, but you can balance your time/effort/expense trying to stop all piracy versus making your product better for users. Remember, sometimes the most pirated applications are also the most popular and profitable. Good luck and sleep well.
I'd suggest you take the pieces of information you want in the key, and hash it with md5, and then just take the first X characters (where X is a key length you think is manageable).
Cryptographically, it's far from perfect, but this is the sort of area where you want to put in the minimum amount of effort which will stop a casual attacker - anything more quickly becomes a black hole.
Oh, I should also point out, you will want to provide the expiration date (and any other information you might want to read out yourself) in plain text (or slightly obfuscated) as part of the key as well if you go down this path - The md5 is just to stop the end user from changing he expiration date to extend the license.
The easiest thing would be a key file like this...
# License key for XYZZY
expiry-date=2009-01-01
other-info=blah
key=[md5 has of MAC address, expiry date, other-info]
We've used the following algorithm at my company for years without a single incident.
Decide the fields you want in the code. Bit-pack as much as possible. For example, dates could be "number of days since 2007," and then you can get away with 16-bits.
Add an extra "checksum" field. (You'll see why in a second.) The value of this field is a checksum of the packed bytes from the other fields. We use "first 32 bits from MD5."
Encrypt everything using TEA. For the key, use something that identifies the customer (e.g. company name + personal email address), that way if someone wants to post a key on the interweb they have to include their own contact info in plain text.
Convert hex to a string in some sensible way. You can do straight hex digits but some people like to pick a different set of 16 characters to make it less obvious. Also include dashes or something regularly so it's easier to read it over the phone.
To decrypt, convert hex to string and decrypt with TEA. But then there's this extra step: Compute your own checksum of the fields (ignoring the checksum field) and compare to the given checksum. This is the step that ensures no one tampered with the key.
The reason is that TEA mixes the bits completely, so if even one bit is changed, all other bits are equally likely to change during TEA decryption, therefore the checksum will not pass.
Is this hackable? Of course! Almost everything is, but this is tight enough and simple to implement.
If tying to contact information is not sufficient, then include a field for "Node ID" and lock it to MAC address or somesuch as you suggest.
Don't use MAC addresses. On some hardware we've tested - in particular some IBM Thinkpads - the MAC address can change on a restart. We didn't bother investigating why this was, but we learned quite early during our research not to rely on it.
Obligatory disclaimer & plug: the company I co-founded produces the OffByZero Cobalt licensing solution. So it probably won't surprise you to hear that I recommend outsourcing your licensing, & focusing on your core competencies.
Seriously, this stuff is quite tricky to get right, & the consequences of getting it wrong could be quite bad. If you're low-volume high-price a few pirated copies could seriously dent your revenue, & if you're high-volume low-price then there's incentive for warez d00dz to crack your software for fun & reputation.
One thing to bear in mind is that there is no such thing as truly crack-proof licensing; once someone has your byte-code on their hardware, you have given away the ability to completely control what they do with it.
What a good licensing system does is raise the bar sufficiently high that purchasing your software is a better option - especially with the rise in malware-infected pirated software. We recommend you take a number of measures towards securing your application:
get a good third-party licensing system
pepper your code with scope-contained checks (e.g. no one global variable like fIsLicensed, don't check the status of a feature near the code that implements the feature)
employ serious obfuscation in the case of .NET or Java code
The company I worked for actually used a usb dongle. This was handy because:
Our software was also installed on that USB Stick
The program would only run if it found the (unique) hardware key (any standard USB key has that, so you don't have to buy something special, any stick will do)
it was not restricted to a computer, but could be installed on another system if desired
I know most people don't like dongles, but in this case it was quite handy as it was actually used for a special purpose media player that we also delivered, the USB keys could thus be used as a demo on any pc, but also, and without any modifications, be used in the real application (ie the real players), once the client was satisfied
We keep it simple: store every license data to an XML (easy to read and manage), create a hash of the whole XML and then crypt it with a utility (also own and simple).
This is also far from perfect, but it can hold for some time.
Almost every commercial license system has been cracked, we have used many over the years all eventually get cracked, the general rule is write your own, change it every release, once your happy try to crack it yourself.
Nothing is really secure, ultimately look at the big players Microsoft etc, they go with the model honest people will pay and other will copy, don't put too much effort into it.
If you application is worth paying money for people will.
I've used a number of different products that do the license generation and have created my own solution but it comes down to what will give you the most flexibility now and down the road.
Topics that you should focus on for generating your own license keys are...
HEX formating, elliptic curve cryptography, and any of the algorithms for encryption such as AES/Rijndael, DES, Blowfish, etc. These are great for creating license keys.
Of course it isn't enough to have a key you also need to associate it to a product and program the application to lock down based on a key system you've created.
I have messed around with creating my own solution but in the end when it came down to making money with the software I had to cave and get a commercial solution that would save me time in generating keys and managing my product line...
My favorite so far has been License Vault from SpearmanTech but I've also tried FlexNet (costly), XHEO (way too much programming required), and SeriousBit Ellipter.
I chose the License Vault product in the end because I would get it for much cheaper than the others and it simply had more to offer me as we do most of our work in .NET 3.5.
It is difficult to provide a good answer without knowing anything about your product and customers. For enterprise software sold to technical people you can use a fairly complex licensing system and they'll figure it out. For consumer software sold to the barely computer-literate, you need a much simpler system.
In general, I've adopted the practice of making a very simple system that keeps the honest people honest. Anyone who really wants to steal your software will find a way around any DRM system.
In the past I've used Armadillo (now Software Passport) for C++ projects. I'm currently using XHEO for C# projects.
If your product requires the use of the internet, then you can generate a unique id for the machine and use that to check with a license web service.
If it does not, I think going with a commercial product is the way to go. Yes, they can be hacked, but for the person who is absolutely determined to hack it, it is unlikely they ever would have paid.
We have used: http://www.aspack.com/asprotect.aspx
We also use a function call in their sdk product that gives us a unique id for a machine.
Good company although clearly not native English speakers since their first product was called "AsPack".

Resources