I typically have not worried at all about piracy or copy protection with software however I currently find myself in a unique situation. I develop an application for repairing computers for a specific computer repair company. Recently an employee has decided to quit the company after only working there for one month, and took my toolset with her. She then started a computer repair company out of her home and is using my toolset to fix computers. I am not particularly concerned with this person as our lawyers are already in hot pursuit. My concern is with future instances of this where I may not find out about them.
What I would like are some ideas for ways to protect and or phone home without being too over-bearing. I hate software that is too protected and becomes annoying or worse yet, worthless. This application is never to leave the walls of the computer repair company as they do not do on-site repair and I think I can use this to my advantage.
I do have a couple of ideas about how to go about restricting usage to within the company but I would like to hear how others have dealt with situations like this. Currently I keep going back to checking the network for specific servers or ip ranges but does anyone else have any other ideas?
First i think you have to decide what you are protecting against, as game developers have learned over the years you cannot stop ppl from copying your app/game.
Assuming what you want to protect yourself against the above senario again, i can think of 2 ok solutions.And your app has access to the network "always" or normaly duing normal use.
Phone home:
Have the application phone home to some server software, either on the company network or via internet. Have the application send some information to the server, and have it respond with either OK or die command.
To prevent someone from stealing the server, hardcode the server application ( If its installed at the company) to accept 1 physical server ( IE requires the machines has X mac, Y CPU serial, L mainboard serial).
AppServer sending verification
Since you where thinking about sniffing the network from trafic thats posible, but might be better to have a server part that sends out a verficiation code ( IE some public,private key encrypted message with a timestamp?) at periodic intervals.
Depending on X server sends some network trafic every now and then does not seem logical, and could create issues ( IE that server gets removed, but nobody knows you app depends on it to respond to ping).
Also spending on being able to ping XXX.XXX.XXX.XXX and som MAC address in the network is fairly simple to fake.
I've been looking recently at using the open source Rhino Licensing solution http://hibernatingrhinos.com/open-source/rhino-licensing - this seems like quite a sophisticated solution and the source includes an example application which you could alter for your individual needs - e.g. you don't have to lock the user out if you don't want to.
Related
In the domain we have two types of networks. One type is allowed to connect to the internet and the other does not allow connections to the internet. The internal network is available to both.
We have a webserver in the network that hosts a Blazor Server application (using iis). The server is in the network that can use the internet. Now when i use my laptop that is also in the network that can connect to the internet, the website on the server is fast and gives me a snappy response. When i open the same site on a computer that is in the network that is not allowed to connect to the internet, the loading speeds are dramatically decreased. We see a slight increase when we set the protocol to http instead of https, but it is not a game changer.
We see that the data is loaded realy fast but the network request takes up to 6.5 seconds and the loading of data 29 miliseconds.
Anyone have any ideas?
We switched the application from https to http. This was a slight increase.
We used wireshark to check the networktraffic but we see the delays in there as well. The connection itself is good not red flags.
We changed the underlying platform of the application from .net 6 to .net 7. This did not make any difference.
We changed the deployment mode from framework-dependend to self-contained. Still no difference.
As soon as we enable the internet for the network, the site is fast again.
UPDATE 26-01-2023
After some more research we figured out that there are two ip addresses that need to be let through to make it fast again. The IP's are 142.250.179.131 and 23.2.226.23. The first IP is an IP owned by Google and has something to do with gstatic, and the second is from a company named Akamai Technologies.
None of the nuget packages or references in the application code reference any of the packages created by Akamai Technologies or Google. Or is there something else i am missing?
Well, if this is the case. I think this also needs to narrow down the scope of this issue. Have you tried to access the site directly using the domain name and port? For this result, you may need to take different actions:
Issue still occurs. Then this problem may be related to the application code development, you need to review the code and troubleshoot.
Issue resolved. Then you may need to check the performance of IIS server. Try to use the Debug Diagnostic Tool and check its performance. Something like this:
In case the point-of-sale card reader stops working, a backup card entry method is required by the card-processing vendor. The processor's suggested method is that the application hosts a WebBrowser control to the vendor's own site in which the credit card info is entered at checkout, and to watch for the URL to change to know when the transaction is complete and receive the verification token.
This struck me as a potential PCI minefield:
The keypresses are going into the same process as the rest of the point-of-sale application and the WebBrowser also provides in-process DOM hooks
I'm not sure what this means for HTTPS certificate validation in case of MitM from a separate machine
There are probably other things I don't know about that are just as important. (Deprecated protocols and algorithms?)
To be sure, a standalone web browser could have some of these same issues but at least it wouldn't be the responsibility of the application codebase. I wouldn't want a PCI audit to have problems with something unrelated in the codebase just because it shares a codebase with payment entry.
Am I overthinking this since it's only a backup method to be used if the card reader is down? What is the standard way of handling this?
If you were being audited, an auditor would look for the following basic things:
How frequently is the embedded browser updated by the manufacturer? How does it receive updates? Will it receive/deploy automatic updates? Or, will you have to redeploy the application whenever a critical security flaw is discovered/patched? How do you manage these updates? If the updates are automatic, how do you QA them after they're in prod? If you have to redeploy the application, how will you roll it out to users? How will you be certain that all users update from insecure versions to secure versions? How frequently are they pushed? Do you have a good set of processes to manage between updating so frequently that your users never have a clue what they're going to open up and updating so rarely that you are running extremely vulnerable software?
In practice (particularly if you're subject to a post-breach audit), is the embedded browser fully updated to protect against patched security threats?
Does the embedded browser protect against browser based threats like drive by downloads? Will your anti-virus solution still work with an embedded browser? Are you sure? How have you tested that?
If you were, say, running a virtual terminal inside of a browser, you'd want to be able to answer those same questions, only about the regular browser. So, using an embedded browser doesn't change the letter of PCI-DSS. However, the security processes around the embedded browser will be different.
For things like MITM attacks, I'm not entirely sure that I understand your question. An embedded browser would be as vulnerable as a regular browser to MITM, though some regular browsers have more enhanced protection against man in the middle attacks. For example, if your embedded browser was an updated version of Google Chrome, I'd feel a heck of a lot more secure than if your embedded browser was a version of IE 6 that hasn't seen an update this decade.
The important thing to remember is that if your cardholder data environment (CDE) is within a secure network that receives regular vulnerability scans (and if you have a good, written process governing how you perform vulnerability scans), you should be fine in the event of a breach. The kicker though is that you need to document both the process and how you follow the process.
Say, for example, that your process is to:
a.) Have an expert on your team do vulnerability scan every second Friday.
b.) Hire an outside firm to do a full vulnerability scan once per quarter.
You'd need to have records of:
a.) Who is your expert? How was she trained? Is she qualified to do vulnerability scans? If she finds a vulnerability how is it escalated? What dates did she perform the scans? Does she have any print-outs of the results? Does she fill out a form with her findings? Do you have all of the forms? Can I see the results of the vulnerability scan she performed on December 18, 2015?
b.) When you have professional scans done, who performs them? How do you vet that the firm is qualified? How do you vet that the person who did them is qualified? What happens if they find vulnerabilities? What happens if they find vulnerabilities that your in-house expert doesn't find? Can I see their last report? Can I see the report from three quarters ago?
I have made a desktop software in C# and i am going to make a 30 day free trail of the software ,now i will check the date and time from some server to check the date ... My question is, can the hacker hack this and produce somekind of key or steps to make it full version or produce some crack of it in the market for everyone(I know that a hacker can hack any product )???
Actually, a hacker can figure out what you are checking a date by REST API, by the monitoring of http traffic, then change the DNS name of your API to local host locally and provide you fake REST API response.
Sure, any software running on the desktop can be decompiled or reverse engineered. Then a patch can be created to disable any security features you've build into the application.
But this requires a lot of work. Not many applications are valuable enough for some hacker to spend so much time on it.
As others have already replied, it's trivially easy to intercept http(s) requests made to a server. Why don't you just use the date/time from the machine/device itself? Not many people will be willing to live with a date set back on their machine just to run your software illegally.
The real problem is where do you store that date. The first time the user legitimately installs your trail, that date won't be present. What is to prevent users from deleting that date and starting the trail period over?
To protect yourself from all this, run (parts of) your software in the cloud. But in that case, you'll need an authentication mechanism for your users.
I'm writing a small client program to be run on a terminal server. I'm looking for a way to make sure that it will only run on specified server and in case it is removed from the server it will stop functioning.
I understand that there are no methods to make it 100% secure, none the less I want to make it difficult for most power users to be able to do it.
I was looking at different Unique Identifiers like Processor ID, Windows Product ID, Computer GUID and other UIs. Because the terminal server is a virtual machine, I cannot locate anything that is completely unique to this machine.
Any ideas on what I should look into to make this mostly secure. I do not have time or the need to make it as secure as possible, because it will defeat the purpose of the application itself.
I do not want to user MAC address. Even though it is unique to each machine it can be spoofed by following instructions found on internet.
As far as Microsoft Product ID, because our system team clones VM servers and we use corporate volume key, I found already two servers that I have access to that have same Product ID Number. I have no Idea how many others out there that have same Product ID
Alternatively instead of trying to identify the machine, I might be better off by identifying the user and create group based permission handled through AD for access to this software.
By design, uniquely identifying a virtual machine is difficult; anything that allowed you to uniquely identify it would imply that it was not fully virtual (because cloning a virtual machine should produce an identical machine).
Create a heartbeat application on the host machine that communicates with the VM via a loopback network adapter.
Have the heartbeat application refuse to run if it is not able to uniquely identify the host machine.
Have the main application refuse to run if the heartbeat application is not running.
You will need to find a way to ensure that the heartbeat application cannot be spoofed too easily.
It is not possible to protect the terminal program 100%. This question is equivalent to trying to prevent software piracy.
The best thing I've found is the BIOS UUID - but it's far from perfect for your use case.
The SMBIOS UUID available inside the VM is also used by the VMware hypervisor and management tools as VirtualMachine.config.uuid (See: the uuid property on this page). This means it is guaranteed to be unique on a particular host, or in a particular vCenter. However, it can be duplicated on separate hosts or separate vCenter installations.
Also, the BIOS UUID on a virtual machine is mutable. It can be changed through the API (though not easily through the client).
This probably approaches your 95% mark, as it would take some special effort and setup to duplicate the VM exactly.
However, from a virtualization-enablement perspective (including things like VM disaster recovery, and future upgrades of virtualization software): using a hardware ID like the UUID or MAC address causes all sorts of problems. When they want to rev the OS version underneath your software, usually by creating a new virtual machine, they would need to manually edit the VM config for both servers to change the UUID to match. Using the MAC, if they change the network architecture, your software requires that VM to be a special case. These things just cause headaches for a virtual admin (but they might be the exact headaches you're trying to cause - only you know for sure).
I'd recommend using the permissions-based approach you mention, or even a concurrent-licensing server if necessary. But I'm coming from a heavily-virtual background where hardware-tied licenses are a headache already.
Simplest solution is to use the mac address, but note that it is easily changed on Windows by editing the registry. I'd say less than 5% of people know how to do that though.
Here's how to get the mac address in C#:
System.Net.NetworkInformation.NetworkInterface.GetPhysicalAddress();
You can tie the license to the MAC address of the network card (or cards, if there are several).
Of course, changing the network card would then stop your software from working.
If/When TPM becomes standard on servers, you should be able to use it to authenticate the server.
You can get the PC's MAC Address as shown here: http://www.java2s.com/Code/CSharp/Network/GetMacAddress.htm
Of course, this approach is not without flaws. There are other approaches listed in this post, which is similar, but not an exact duplicate: What's a good way to uniquely identify a computer?
expanding on the macaddress approach. you could use the macaddress with an md5 function around it with a SALT that was only known to the system owners. this way, the macaddress is useless without knowing the SALT.
just my tuppence worth.. :)
[edit] - see also here for c# example on hashing/salting etc:
MD5 hash with salt for keeping password in DB in C#
http://www.obviex.com/samples/hash.aspx
If you want 95% I'd go with the Mac ID - it can be spoofed, but by default is unique for the machine.
I don't know if anyone has any expertise with Novell Netware or not, but I situation where one of my clients is getting a weird error trying to move a file to a netware share. The situation is pretty complicated but I'll try and outline it as best I can.
1) The application is running as a service
2) The file to be moved is a local file in an accessible location (to the service)
3) The file is being moved with FileInfo.MoveTo().
4) The MoveTo is throwing an IOException and the message is "a device attached to the system is not functioning".
I'm at a loss as to explain what might be happening. On a side note, it seems that running a small test program interactively using the same method (FileInfo.MoveTo) to the same location works fine so it seems to be associated with the service itself.
Any help would be hugely greatful. Thanks.
Kristofor Wilson
That's normal. Windows services need to login to the server separately, like local users do. When you run your program interactively, it accesses the NetWare server using your, already established, connection. To access the server from the service, your program needs to establish its own connection first.
I am afraid I don't know how to login to NetWare from a C# program, and I am not sure if it is possible to set up your service that it does not need to log in to NetWare. I'd explore one of these ways though.
Oh, almost forgot. If a local user has NetWare volumes mapped to disk drive letters in Windows, like SYS: volume to P: and so on, these mapping will not be visible to the service; it will have to map the volumes to letters separately, or use UNC paths
The later (Last versions) of Netware where able to emulate a windows server whilst still functioning as a Netware server. No big deal to set this up so might be an option for you,.