Solved

copy protection

Posted on 1998-04-21
13
258 Views
Last Modified: 2013-12-25
I am interested in a couple ideas or an algorithm to do the following:  (no code is really necessary -- I am looking forward to working on this -- and learning a CGI language)

Our company would like to implement a copy protection scheme for our software.  We would like to do this via our web site with a CGI program so finishing software installs occurs automatically when they submit a form from our web site.  

This could take place as a "nugget" with password protection that they download.  We've thought of setting a cookie and have the downloaded "nugget" look for that (but the placement of the cookie depends on the web browser that they use and is a text file that can be manipulated.  
Pretty much the only requirements are that it is secure:
1. the client cannot send someone else the software and the nugget and have the install work on the other system)  
2. the client cannot send someone else the software and the other person can download the nugget themselves

and easy for the customer to use.

I would like to incorporate a "clock winding" where a copy protection clock (that we have already embedded in the system) would be "wound" so that their software will not quit working after the clock reaches 0.  We do this now but they have to call us.  I would like to be able to do this automatically.

Thanks for any ideas you may have.

Mark    
0
Comment
Question by:mbunkows
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 5

Expert Comment

by:icd
ID: 1827689
The simplest way to do this is for your protected program to request a validation code. This validation code would be obtained by them filling in a form on your web server. The validation code can be tied to some characteristic of their machine or to a hidden/protected file in the file system to prevent the program from working on another machine.

I have produced several products that do this where the code is obtained over the telephone but an Internet solution is more appropriate nowadays.
0
 

Author Comment

by:mbunkows
ID: 1827690
Thats exactly what Im looking for...

However wouldnt the characteristic of their machine exist on the pirated copy of the software as well.  Thats kindof the problem i have been wrestling with... if we dont put the characteristic on the computer ourselves (with the initial installation) how do we know what that characteristic is (says?) ... thats why I thought about using a cookie but of course their are problems with that also (namely it being in different locations for different browsers)

I think I need to be able to do one of the following:

1) put something on their system at the initial installation and have that change if another installation occurs (but what if they install twice?)
2) put something on their system (similar to a cookie) and then when they submit the form have the file that is included in the email look for that cookie (but how do i know where the cookie is located?)

We currently also give our clients the code over the phone (via modem actually) however we need this to be automotated.

Thanks

Mark  
0
 
LVL 5

Expert Comment

by:icd
ID: 1827691
Use some characteristic of the PC, such as hard drive serial no. or something. This together with the time of day could be used to generate a code value. This code value is sent to you server and you use it to encode a validation key which is sent back to the user.

When the program runs it compares the PC characteristic with the stored code value which is also used with the validation key to 'unlock' the program. If the program is copied then the code value will not match the PC.

0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 

Author Comment

by:mbunkows
ID: 1827692

Excuse my ignorance in CGI matters but how is that code value sent to my server?

They obviously dont include it the form...

I understand that the time of day can be determined by the server itself but how will the server know the characteristic of the PC (like a hard drive serial number)?

Also how does the program know what time of day the form was sent?

Again I apologize for my ignorance in these matters.. I guess thats why I asked the question...

I'll up the points a bit (cuz im sure this is getting frustrating to you)
Mark



0
 
LVL 3

Expert Comment

by:bigelos
ID: 1827693
Yeah, but you get some pissed off users when they upgrade their system and find their software no longer works.
0
 
LVL 5

Expert Comment

by:icd
ID: 1827694
The information you get from the PC time of day and other characteristics are encoded into a code value, something like aeds-1s3e-fr56-s3wb (for example) The method you use to encode it will depend on how much information you need to send, how secure you want it etc. To give you a solution here would not exactly be secure! :-)

In the simplest method you ask the user to type this into a form on your server together with their name, address etc... This then tells your server the information about the PC that you need to create a validation code. This validation code is printed out on a html page (preferably secure) and the user types the validation code into their program.

A more sophisticated method would do away with the browser at all. The address information would be entered into the users program which would obtain the PC fingerprint. The program would then make a secure socket connection to your server and the handshake between them would insert the validation code directly into the customers program. This avoids any transcription errors, makes it easier for the user and allows you to transmit more details between the customers PC and your server.

0
 

Author Comment

by:mbunkows
ID: 1827695

In the simplest method, if the user types in all the information that is used to create the validation code then another person can type in the exact same information and get the correct validation code.  As far as I understand it, at least part of the information has to come from the computer itself.  This could be the time of day or whatever but both their PC and our server will have to have the exact same time.  If they type the time in the form, I might as well use some combination of address, name, etc.  I just dont know how to get information about the PC without the users knowledge (meaning they dont type at least part of it in a form).  I could have a list of clients in a file that the server has access to that the server deletes when the email (or secure web page) gets sent (created).  However having to update a file each time we get a new client is something I dont really want to do.
 
Im trying to make it as secure as possible without causing too many hardships on either myself or our clients.

Mark
0
 
LVL 5

Expert Comment

by:icd
ID: 1827696
The point is, the code that is produced on the PC will always be different. The user has no control over this code since it is generated from the time of day and the characteristics of the PC that you want to monitor. It is encrypted, or at least mangled in some way. The same code would not be repeated on another PC and not even on the same PC twice (since the time of day is incorporated into it). The server does not need to synchronise with the PC time of day since the TOD is only used to ensure a different code each time it is generated.

To get information about the PC will involve some system level programming (for example finding out how to read the hard disk serial number from your program).


0
 

Author Comment

by:mbunkows
ID: 1827697
If the server doesnt need to know the PC specific information (TOD, hard disk serial, etc) how can it generate a different validation code each time... one that the PC will be able to understand and confirm the validation?  

heres a senerio:
1) a new client buys our software and has it on CD
2) the client installs the software using our install program--at the end the install program has a link to our web site to finish the installation
3) the user goes to the web site and fills in a basic form--client number,name,address,etc
4) from the basic information that the client gave us a CGI program mangles the info and creates a validation code that either sends them the email or prints it on a newly created page just for them
5) the client then types the validation code into our software and runs the program

where in these steps do the PC specific items get put in? it has to be before the server creates the validation code.. otherwise the client could hand off the CD to his buddy and have him type in exactly what the client typed in and have the validation code work (because it would be the same exact one)

In my way of thinking the two either have to be synchronized or the PC needs to send specific information about itself without the client knowing

Mark  
0
 
LVL 5

Expert Comment

by:icd
ID: 1827698
Step 2. The client installs the software, during the installation process the program obtains the PC specific information. It creates a hash value from the PC data, the Time Of Day, the User information to create a code (call it a PC code).

Step 3. The user enters the PC code into the form.
etc.

If the installation process were to make a socket connection then the user would not act as an intermediary by reading the PC code from his pc, entering it on the web form and then reading the resulting authorisation code from the cgi output and entering back on his pc.


0
 

Author Comment

by:mbunkows
ID: 1827699

icd,

Thanks for putting up with my ignorance of this situation.

It makes sense now (I dont know what I was thinking... I got the lightbulb)

Please submit an answer and ill give you an A... You've been most helpful!

If you could point me to a link or another resource that may give me more information about a socket connection that would be exceedingly helpful.  If you dont know of anything thats ok too.

Thanks

Mark
0
 
LVL 5

Accepted Solution

by:
icd earned 220 total points
ID: 1827700
A search for '"socket program" and perl' on Alta-Vista or perhaps '"socket example" and perl' is likely to bring up something of relevence. It will take a bit of trawling however to find a suitable example.
0
 
LVL 84

Expert Comment

by:ozo
ID: 1827701
a CPAN search for "socket"
http://theory.uwinnipeg.ca/search/cpan-search.html
may bring you more directly to some perl examples
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is becoming increasingly popular to have a front-page slider on a web site. Nearly every TV website,  magazine or online news has one on their site, and even some e-commerce sites have one. Today you can use sliders with Joomla, WordPress or …
Batch, VBS, and scripts in general are incredibly useful for repetitive tasks.  Some tasks can take a while to complete and it can be annoying to check back only to discover that your script finished 5 minutes ago.  Some scripts may complete nearly …
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question