As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
Ok I want to use online activation to protect my software. The users will need an internet connection and need to verify that they have an active account/license to continue using the software. So my software will send out some credentials to my website, where I will verify and send back SOMETHING to allow the program to run or not.
Here's the problem. How do I prevent someone from spoofing the simple SOMETHING that I send back, bypassing my verification altogether?
Two examples:
I remember seeing a program somewhere that allows you to monitor internet traffic and modify it before the traffic returns to the software. I cannot remember the name. In effect, its a man-in-the-middle between what goes out and comes into your computer, before the application sees it. For example, your browser sends an HTTP request, this program can intercept it and modify the out packet, or vice verse, some HTTP webpage is returned to the browser, and this program can intercept and change the incoming packet and then pass it along to the browser.
The HOSTS file can be changed to redirect traffic to any address. So if someone knows that my verification will return the text "ok_to_use" or "not_ok_to_use", and they know the url that I use to verify, then they can just use the HOSTS file to bypass dns lookup of my website, redirect it to their own site, and always return the string "ok_to_use"
The second example illustrates the problem. I think I need to somehow return something other than a static string. Obviously I can encrypt the string, but it won't take long to figure out that "ok_to_use" equals "7hgx3a" if that is the same encrypted string that always gets sent back. So I would need to send something back that changes all the time.
EDIT/
To the comments/responses saying that there will always just be a final if/then check in the app that flags whether the license is valid or not:
Yes thats true. I was hinting towards something like this in the last paragraph of the original post. Perhaps having the web php send back some critical functionality, so that even if the if/then is skipped, if the web check wasn't performed, then the algorithm for some function won't get downloaded, and the app won't work correctly. Anyone have ideas in this vain?
Although I basically agree with Gavin, but this is not the reason to leave your software prone to be hacked by the most stupid and noob hackers ever!
Well, you have many options to prune a large portion of the script kiddies and probably customer employees from the population that threaten your software's licensing mechanism.
I list some of them in the order they cross my mind:
You can use two-way SSL for your client-server connections, it has a little coding overhead but you can make sure that you have sold that version of software that is contacting your licensing server already. You can identify it by the public key that decrypts the sent licensing query correctly.
You can send more complicated tokens than OK_TO_USE, perhaps a value of a mathematical function that returns a number randomly every time it is asked about. Then the client software can be written so that identifies if the number is produced by that specific function.(this can be a more complicated thing than a single integer!)
At least use encryption! or register a certificate so that your client can verify that it has contacted the correct server.
Update your software in a timely manner and change the licensing mechanism every now and then!
Finally, no bullet-proof vest for a software license! you'll get cracked soon or late, but try to sell more and get hacked later. :D
I personally wouldnt bother - there are plenty of different copy protection systems used by professional software products, and every single one of them have been cracked.
No matter how complicated your copy protection system is, at some point in the binary you will have a check to see if the license is valid, all that is needed is to modify this part of the binary to always return true.
Just add a very simple activation system to deter people from passing it to friends, and then spend your time adding new features in order to sell more copies, rather than wasting time trying to prevent professional hackers from copying your software.
If they want to - they will!
You can use public/private key protection when sending messages from the server to the client. These messages cannot be altered and you rest assure the response came from the server.
You can check LicenseSpot that already provides what you're looking for. It has:
Free Licensing Component
Private/public key encryption
API to integrate your app and online store
Serial number generation
Revoke licenses
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
There are lots of ways to create a login form for web apps and most of them are flawed one way or the other:
Passwords are transmitted/saved as clear text
The login dialogs are subject to XSS attacks or SQL injection
Is there an example or tutorial how to create a secure login form?
I agree with Carlos about lack of "perfect" secure system, not only for login, but for any other component. The only thing to do is to minimize risks by following best practices, but always keeping in mind that total safety doesn't exist, so your question is quite difficult to answer, although there are some good examples out there nothing is perfect, security is a very fast evolving topic.
For me the main things to solve are:
-Data transmission: The user is always going to type a password and this has to be sent to your system before it was processed, so there is a high risk of being intercepted if you are using an open channel. To solve this you MUST use transport the data over an encrypted channel (SSL), no other way unless you drop the common password (for example using one-time use tokens, or delegating the authentication to a third party, like Facebook connect or openId). See "How to Make a Secure Login Form with SSL"
-Input Sanitation: To avoid XSS and SQL Injection consider any input that comes from a client as a potentially risk point, therefore you have to perform validation against anything that comes form outside --> doc. Another good practice is never use the inputs directly on queries, use as bind variables in prepared statements or stored procedures.
-Password Storage: Password should always be stored encrypted with a one way hash algorithm, so even in the case of someone accessing your DB, there is no way to recover the original passwords. Also use techniques as Salting, Hashing multiple times, etc... Also be careful to choose an algorithm that is not weak or outdated (like MD5), which can be broken by brute force easily with the increasing CPU power.
-Infrastructure: Have your machines, OS, frameworks, libraries always updated to avoid bugs and 0 day attack. Any system today is enormously complex, and the system is as secure as it weakest component.
-Other Things to Consider: Review your security policy regularly to see if needs to update anything, implement password policies (expiration, reuse, etc...), log access, use monitoring tools for your systems, etc etc etc
And after all that, you can still be sure that if someone has enough time and resources, your system will fall.
Your question, can't be that agnostic, and must be divided in your two main concerns:
Transmitting passwords in the clear.
Xss, Sql injection.
No system will be declared secured per se, but you can try your best to minimize the risks by using proven concepts.
So let's say you have the chance to design your own "secure system", what do you need?
At minimum you will need a basic set of tools:
Client side data encripting: (Javascript here, i think you will find lots of info of how to send your data in data 64 or something like that, remember you are searching for one way or two way encription)
DB Encription: (One way-two way encription, but never save passwords in the clear)
SQl injection: (mysql_real_escape_string() comes to mind).
Every language has some sort of protection built in, it is when building large projects that sometimes we may forget to sanitize some querys
I repeat no system will ever be declared secure, however you can add some other security measures as in:
access_tokens = timed-strings that allow to validate user login.
captcha_after_few_intents = you should add this definitely.
block_account_after_few_trys = pain in the * for users, but definitely worth it.
login_token = store a token unique for that user, and use it in all GET/POST transactions
SSL
From Bank Security:
Automatic gsm devices that generates RANDS and access_tokens valid only for a short time.
mouse keyboard: evitates keyloggers
random_access_question:
check_random_account_country_change = let's say user is from albany and next day he logs in from south america, that should maybe raise a flag to your system.
I'm sure you will find plenty of advice somewhere, but remember you at end will end talking html, and some js, your main defense is on the server side, so be good, or be good at it.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
If I had let's say a sensitive report in PDF format and wanted to send it to someone, what is the most secure way?
Does a desktop application make it more secure? Since we are basically doing a client to server communication via private IP address? Then add some kind of standard encryption algorithm to the data as you send it over the wire?
What about a web based solution? In web based, you have a third person in the loop. Sure, it would do the same kind of encryption that I would have on a desktop.. but now instead of client->server directly, you have client->server | server<- client... You also have exposure to the broad internet for any intruders to jump in, making yourself more open to man-in-middle attack... One thing the web has going for it is digitial certificates but I think that is more authentication than authorization.. which the desktop problem doesnt have?
Obviously from a usability point of view - a person wants to just goto a web page and download a report he's expecting. But most secure? Is desktop the answer? Or is it just too hard to do from a usability perspective?
OK there seems to be some confusion. I am a software engineer and am facing a problem where business users have some secure documents that they need to distribute - I am just wondering if using the web and SSL/CA is the standard solution to this, or maybe a desktop application could be the answer??
The method that comes to mind as being very easy (as in it has been done a lot and is proven) is just distributing via a web site that is secured with SSL. It's trivial to set up (doesn't matter if you're running Windows, *nix, etc) and is a familiar pattern to the user.
Setting up a thick client is likely more work because you have to do the encryption yourself (not difficult these days, but there is more to know in terms of following best practices). I don't think that you'll gain much (any?) security from having to maintain a significantly larger set of code.
Most secure would be print it, give it to a courier in a locked briefcase, and have the courier hand deliver it. I think that'd be going overboard, though :)
In real world terms, unless you're talking national security (in which case, see courier option above), or Trade Secrets Which Could Doom Your Company (again, see courier option above), having a well encrypted file downloaded from the web is secure enough. Use PGP encryption (or similar), and I recommend the Encrypt and Sign option, make the original website a secure one as well, and you're probably fine.
The other thing about a desktop application is: how is it getting the report? If it's not generating the report locally, it's really doing just as many steps as a web page: app requests report, report generated, server notifies client, client downloads.
A third option, though, is to use something other than the website to download the reports. For instance, you could allow the user to request the report through the web, but provide a secure FTP (SFTP or FTPS) site or AS2 (or AS3) connection for the actual download.
Using a secure file transfer (or managed file transfer) is definitely the best option for securely transferring electronic data. There are smaller, more personal-use solutions out there like Dropbox or Enterprise solutions like BiscomDeliveryServer.com
Print it off, seal it in an envelope, hire some armed guards for protection and hand deliver it to them.
You may think its a silly answer, but unless you can identify what your threat vectors are any answer is pretty meaningless, since there is no guarantee it will address those threats.
Any system is only as secure as it's weakest link. If you sent the document securely and the user downloaded / saved it to their desktop then you'd be no better off than an unsecure system. Even worse they could get the docuemnt and then send it onto loads of people that shouldn't see it, etc. That leads on to a question whether you have an actual requirement that they can only view and not download the document? If not, why go to all this effort?
But if they are able to down load it, then the most secure method may be to send them an email telling them that the document is available. They then connect to a system (web / ftp?) using credentials sent separately to authenticate their access.
I'm surprised no one has mentioned a PK-encryption over email solution. Everyone in the "enterprise" gets a copy of everyone else's public key and their own private key. Lots of tools exist to do the heavy-lifting. Start with PGP and work from there.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Let's say I have designed s very important system, and this system costs thousands dollars. I want to protect my system with a serial number as I know crackers will try to edit the binary code to bypass the serial number.
I have read about using a checksum function and apply it over my binary code and check the value if changed, but again, we are talking about a condition a cracker can avoid by editing the code.
My question is: what's the most used technique to protect important programs?
I have yet to see a "protected" digital product that had not been cracked pretty quickly after its publication (or in some cases, before its publication). Sorry, but it's the reality. You have to get the revenue by making a good product. Most of those who want to use it and can afford, will pay.
There will be a few dickheads, but that's life. You better be kind towards the legit users of your software and not bully them with weird copy protection attempts that don't work anyway.
If your app is working offline, whatever checks you do (check sums, serial code validity, etc), do them often, repeating verification code, in many routines of your software. Obfuscate your code, to make reverse engineering a more difficult task, and, if you have the possibility, implement an online check, part of the core functionality of your app residing on your server, and being serviced only to those installations that you have checked server-side for valid license key. Associate the license key to some form of unique identifier of the hardware the app is running on, and if you check online, have statistics concerning the IPs that make the verification request: if you encounter more IPs trying to verify the same license key, contact the buyer and approve a list of IPs they usually log on from, whilst blacklisting any other until specific request from them, either by mail or by phone.
The most used technique is serial numbers. But your customers will have access to the code, so they will be able to bypass your serial number check, no matter how much work you put into obfuscating it.
However, if you can provide your software as a subscription-based or one-time-payment web application, then people will not be able to do this. Whether this is feasible or not depends on the type of application you're writing.
I would always recommend to build a custom software protection before applying any kind of commercial protector such as a Packer.
In any case just a serial validation and a checksum check are not going to keep crackers away.
I would recommend you to visit my new blog www.anti-reversing.com and take a quick look at the anti-piracy tips & tricks page just to have an idea about what I am talking about.
I have tried searching, and all questions are related to specific things like "how to generate key", and the like. Can anybody explain how different types of software activation work?
In the most simplistic case, it is as maxwell5555 described. A registration code ("CD key") is sent to the user who enters it into the program or installer. The whole process can basically be done offline; the program itself locally determines that the code is valid or invalid.
This is nice and easy, but it extremely vulnerable to key sharing - since there's no "phoning home" then the application cannot know that thousands of different people are all using the same key that they got off the internet or a serial library or their friend. It's also reasonably easy to make "keygens" which generate valid-seeming keys that were never actually issued by the developers.
Then we get into online registration. You still have some kind of code, but the program will phone home back to the server to determine whether the code is valid and usually unique. This stops basic key sharing, because the company knows if too many people from all over the world are all using the same key. Perhaps there is some kind of indentification involved using MAC address, too, with infinte registrations allowed on the same hardware but maybe a limited number on what appears to be a different computer.
This is still pretty easy and stops simple key sharing. People will actually have to get into cracking the software or faking the server response to get past it.
Sometimes the program itself is partially/mostly encrypted and is only decrypted by the online registration step. Depending on how well this is obfuscated then it can be pretty difficult and time consuming to crack. Bioshock was a high-profile example of this - debuting with a brand new encryption/copy protection scheme that took around two weeks from release to be broken.
Finally, a particularly guarded applciation might stay in constant contact with the server, refusing to work at all if the connection is severed. In this case to get arouind the activation you need to fake the server itself. Steam emulators and private WoW servers are an example of this.
And in the end, nothing is uncrackable.
I suspect a lot of the implementers will not give this information out because it opens them to hacking. But if I were to do this, this is how I would go about it:
Decide if the software is licensed to a person or a computer.
Find a way of identifying the person/computer (login account or ID from the computer hardware).
On request/payment: in your private database, create a licence key and add an entry for the person/PC with this key.
Provide the client software with the key.
Your software either stores the key locally, or regularly checks for the key giving a service of yours the identifying information in return for which your service supplies the key if there is one. If none is found, your software offers them details to purchase a licence. The latter allows for floating keys, computer upgrades, and identifying duplicate installations.
Is that what you were asking for?
A common, simple way of implementing software activation/registration is to create a license algorithm. For example, lets say I have some shareware I want to protect and when someone gives me money, I send them a 4-byte registration code. I could build the algorithm into my shareware such that it validates the code the users enters. My algorithm would be as follows:
1) Byte0 * Byte1 = 6
2) Byte2 - Byte3 = 1
3) Byte0 + Byte2 = 8
Two possible valid codes are:
3254
1676
When the user enters a valid code, the software unlocks its regular functionality by setting a flag somewhere. Obviously, this is an extremely simplistic example. Registration validation algorithms can be as complex as you want.
You can also perform this registration over the internet to protect your validation algorithm from reverse engineering, and keep people from sharing keys. No validation scheme is perfect though.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Like probably a lot of software developers, I almost never see real users using my software.
It is, of course, quite difficult to get good user feedback in this situation. Even if some users agree to give me some piece of information about the way they use the software, there's a huge difference between how they really use it and how they think they use it.
By chance, my software is client/server, which means I can quite easily technically collect some information on the server.
Of course, nothing equals looking at a real user using the software in real life, but I think it's better than nothing, or at least it's worth trying :)
While I log all the exceptions raised on the client in my database, I've not been beside this point yet.
Has anyone does that before?
What information would you log?
Are there some legal issues? How should I deal with those?
I face the same problem with the software I'm developing, though I have no users for it yet.
I generally think that monitoring should always be opt-in, and that you should have the ability to review before materials are being sent. I think most people would agree to that.
However, from a legal standpoint there are greater issues at stake. Some companies restrict users in installing software that has any components that "call home" for security reasons. Depending on the usage context, any monitoring data can potentially reveal secrets.
For example, my software annotates things in the IDE. If I transmitted "home" details about files that are open (rather than hashes), even without the content of these files, I would still possibly be sending confidential details. If your tool can be used to open images or documents, there may be similar issues.
I would suggest hashing or finding way of obfuscating results on the client side, and ensuring via sufficient tests that there cannot be a situation where your software sends information home without consent and obfuscation. If I'm not mistaken, if your software does so, even by mistake, you may be violating US federal laws.
Also, make sure to encrypt the details as you send them over the wire.
Finally, if some of your users are in the EU, where privacy laws are stronger, your database of exceptions may be legally considered a "database" in itself (e.g., if you store SQL statements as they were executed and failed and these contain production values). So you may have to follow a lot of the rules about personally identifiable information.
When I did UI development, I used to collect every user command (button push, menu selection) and log them to file with my own internal debug information, but auto-delete the log files after a few days. This information is invaluable when trying to debug your own software (user can rarely recall precisely the steps they took when a problem occurs). I also kept a record of every application startup, in case we had a compatibility problem with third party software.
The point is that the information wasn't used unless a problem did occur, it was kept locally with no remote access, and it automatically got deleted if there was no problem. Only if the customer called us in for a problem did we access the log data.
Actively tracking user operations and sending them back to base is a separate issue entirely, and I've always shied away from that.
This isn't exactly what you asked for, but you do have a few options that are not programming-related solutions:
1) Do some hallway usability testing (scroll down to #12).
2) Try a product like Morae to set up a more formal, but remote, viewing session.
3) Ask a client to watch over their shoulder, using something like GoToMeeting, CoPilot or WinVNC. Or go to their site for a day and hang out watching over their actual shoulder.
Any of these will give you a really good idea of what works and what doesn't.
You could do something like this, which captures mouse movements and replays them for you to see using javascript and ajax.