Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
We are trying to offer a license mechanism for every feature our Linux application is running, and we are thinking of controlling it in a centralized way using a license server:
Our aim for licensing is:
Deny features the operator has not bought.
Offer trials (features which expire if they are not bought).
Activate features for periods of time, and make them available just for some period of time.
Is there any server license which allow us to do this (basically, we would use sockets to communicate with our application)? What else can we do (for example, use some open source software, read, etc.) to get started?
Do you really need to "phone home"?
I've seen a relatively painless license system, through which the user was provided an XML file that described the period the license was valid, an optional IP address, and the list of "unlocked" features. A digital signature was generated using the vendor's private key, which was reinserted into the license file. At startup, the application was reading the license, validating it, checking the IP and unlocking the features accordingly.
The vendor can provide newer licenses to the client when needed.
Although you could theoretically fool the license by changing the machine's local time and fudging with the IP address, in that case this would have made the application quite cumbersome to use, so this was not a problem.
If you really want to use a license server then make sure that your application does not have to contact it all the time to authorise use - this will lead to no end of problems when people lose their Internet connection or your server goes down or crashes.
I would suggest having something where a key is downloaded and stored locally, thus reducing round trips to the server all the time. The key can be encrypted based on the user's machine details so that keys cannot be shared.
We've used the HASP hardware key in the past and while they defnitely work and provide a solution, I don't think they are what you want as they are programmed once and that's that. For example, you wouldn't be able to update the HASP key to close a trial period.
There are times when software does need protection - check out these guys here - they provide hardware and software solutions.
FLEXnet (formerly known as FLEXlm) is a licensing package that is commonly used by high-end or specialized software packages, for example in the electronic design automation market. You can lock a license to a single machine (by hostid, usually an Ethernet MAC address) or to a portable hardware dongle, or have a networked server handle sharing a limited pool of concurrent licenses to clients running your software. Licenses can be granted for a limited time or permanently, and also can be limited by a version number. A license file describes the features that are licensed.
FLEXnet includes several APIs for integrating with your application, including one for C++. I imagine it uses public key cryptography of some kind. Generally, an application using FLEXnet only "phones home" when you ask it to through your use of the API. Many applications check the license once, at startup, or reserve a license from the pool for the duration of the application's runtime.
You pay an annual license fee, of course, to use FLEXnet in your products, starting above USD 1k. The fee varies by the revenue of your company and by the number of platforms (OS/CPU combination) you want your licensing scheme to be able to run on.
I would say it's not worth it to use something like FLEXnet if your product sells for less than several thousand USD per seat. It is onerous to use (the source of a good percentage of support calls for our company), but corporate customers may already be familiar with using it, depending on the market.
FLEXnet, like every DRM scheme I've heard of, is easily cracked. At least I assume it is, since unlocked versions of our products are regularly found on warez sites.
This is such a Dilbert-esque way of doing things. Just say no.
Although hated, this is a standard feature in high-end specialized software which costs tens of thousands of dollars. Think 3D scanners and CNC stuff.
If you do plan to code something up yourself, a common mechanism that I have seen is to tie the license to a MAC address.
Having used various packages that make use of license servers like this, I can tell you it is one sure way to make your software universally hated by its users.
A common licensing software is flexlm. However I would think twice if I would impose these restrictions on my users. Many users dislike them; especially from the FOSS/Linux environment.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I would like to start selling some software I have developed in C++. The first line of protection will be the fact that C++ produces an executable. Within that, I will also apply algorithmic and manual obfuscation techniques to make it very hard to understand even once cracked.
With regards to licensing, my plan is to create an API you can send a request to. The data will include your license key and your device fingerprint. Upon receiving this data, the API will check for the license key in the database, and ensure the device fingerprint matches the fingerprint stored. If it does, it will reply with some sort of cryptographic response that must match a certain pattern. The client will then check if that response matches the pre-determined pattern, and if it does the software will be allowed to be used. If it does not, the user will be locked out. And this response will be empty if the API check failed, so that will also cause the user to be locked out.
I am aware that this is not unbreakable, but I would like to make it as difficult to break as possible without investing a ridiculous amount of time. The reason I wanted to add some cryptographic response is so the user can't just spoof the response from my server. Although I will also be using HTTPS on top of that. If this is a good idea, what sort of cryptographic check would you recommend?
The idea of the fingerprint is to prevent users from using the software on multiple computers at a time. I'm not quite sure what to use for this, but I was thinking of hashing a combination of the MAC address, computer name and something else. Any suggestions?
Is there anything else I should be doing to protect my software?
Thanks.
Don't waste your time. It's impossible to stop everyone, and even if you stop 99.999% of the people from cracking it, it only takes a single person to crack it and upload it to all the pirate sites. And the harder you make it, the more it will annoy legitimate users.
I'm working professionally on creating software licensing system. I can tell you, that's not easy to make software protecting system that will be safe enough to discourage people before they break it.
Yes, all systems are crackable. It's only matter of time before someone finds a way to bypass security. Our job is to make it as hard as possible giving them as few clues as possible.
I will also apply algorithmic and manual obfuscation techniques to make it very hard to understand even once cracked.
The goal is not to understand application, but run it without valid license.
With regards to licensing, my plan is to create an API you can send a request to. The data will include your license key and your device fingerprint. Upon receiving this data, the API will check for the license key in the database, and ensure the device fingerprint matches the fingerprint stored.
What you're describing is called License Server. It holds licenses and makes sure that the system users do not exceed their number.
and ensure the device fingerprint matches the fingerprint stored
Those fingerprints are called hostids and there are many types of them: bios id, harddrive serial number, MAC address, donlge (usb stick with license on it), username running application, etc. Most of them are pretty easy to forge. But as I said. The goal is to slow them as much as possible.
I am aware that this is not unbreakable.
That's very wise of you.
but I would like to make it as difficult to break as possible without investing a ridiculous amount of time
You've cat to be kitten me.
Unless license server will be in the same network as your software, it won't be able to run without internet connection. It might not be an issue for you, but it is for many companies.
I'm not saying it's a bad idea. Writing such a system is great exercise and I very recommend it to every programmer, but that's not an easy piece of bread.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I am just trying to look at different licensing models and potential technical C++ implementations.
Suppose you have a desktop application including several algorithms (A1, A2, A3). This application is communicating with some server (potentially in the cloud). These "local" algos may be used independently. Is there any solution/framework out there which could allow us to bill their usage independtly?
For example, , one user uses algo A2 and A3. Before saving files, the software computes the final bill, sends it to some server, asks the user to pay it and generate the results file.
This would allow to ship a potentially expensive software "for free" to the users and without the risk for them to spend an enourmous amount of money upfront without being sure this software will actually be heavily used.
Related question: what are the risks?
Though your Pricing model is feasible for large scale and probably same as what cloud offers.
I don't think any native application would be scalable/feasible with this model.
Most of the License of software's that are too costly to buy for each user, they give a floater license and a cap limit of number of simultaneous users.
Pay as you use is great but it is same as cloud computing but then question is simple.
Do you want to reinvent the wheel?
Unless you don't want to invest in your own cloud server, you can easily put your application on other cloud.
If you are ready for investment into build and maintain your own cloud then you should go ahead.
Edit:
You can use web service or the payment method. Expose the web service for calculating the price to be incurred. I would personally use Java or C# for this purpose.
as java and C# have enough support for it, for the wrapper around the C++ code i would use any of the jni or C++/cli language support.
Another thing is, I have not come accross any open source tool for it, each web service has it's own requirements. You can get the architecture but no ready made work.
C++ code->webservice->price billing->result returned to caller.
Regarding Technical Difficulties.
It would not be possible to do things completely in C++, You may require many other tools with C++.
Consider such a scenario:
The program processes the data on the customer's computer, produces some cryptic data at this stage and calls home (your server).
The server there decodes the data, makes the final analysis and sends info to the client "It will costs you X dollars to see the result. Do you want to proceed?"
If yes, the client makes the payment and gets the result.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
I'm creating opensource GPL H264 encoding lib/app (based on x264) do I need to pay for the license?
According to this blog article, the MPEG-LA specifically indicated that license fees are required even for open source software:
In response to your specific question, under the Licenses royalties are paid on all MPEG-4 Visual/AVC products of like functionality, and the Licenses do not make any distinction for products offered for free (whether open source or otherwise)…
However, like many patent-encumbered technologies, the licensing landscape is very complex and confusing (that's what lawyers do), so it's hard to say that a 2nd hand comment from an email sent by someone in the MPEG-LA organization can be considered definitive. If I were writing open source software, I'd probably just shy away from H.264 if at all possible (and maybe rely on system installed codec if that's an option). If I were writing commercial software, I'd definitely get a license, either directly or indirectly by licensing a library from an outfit that had a license.
Sorry to be absolutely no help...
MPEG-LA claims the patents they license are necessary to implementing H.264. A summary of their licensing terms doesn't show an obvious exception being made just because some software happens to be free. On the other hand, all of their language talks about codecs that are "sold". My guess is that you'd just about have to get the real license agreement (available via hardcopy only) to come to any solid conclusions.
As a worker in the video compression industry, I can offer my understanding (I am not a layer) that to just operate an H.264 codec legally you need a license.
Whether that is enforcible depends on how public or private you are about operating your codec.
This is the licensing organization's web site: http://www.mpegla.com/main/default.aspx
Certainly if you purchase a commercial codec, say as part of some video editing software, then you've paid for a license. On the other hand, if you've downloaded ffmpeg and you run it without paying anything to anybody you are in violation. If you search out a contact within the licensing oarganization to send a check to, which I don't pretend would be simple, then you could conceivably arrange a license to run ffmpeg.
Whether you can announce and/or distribute a codec you've written without arranging for those who receive your codec to also receive a license is boarderline - clearly the licensing organization wishes you to do make such arrangements. Making an announcement is a public act, so you don't have any protection of privacy. Ffmpeg, on the other hand, gets away with being public and not making any licensing arrangements - however they are A) a project of significant size with many people willing to support it; B) very clear that they consider any onus to be on the user and not on them.
You don't need a license to write source code. MPEG-LA's opinion is that you need one to distribute it.
You need license according to the way you planning to put in the market, In any sort of way you planning to make money out of it( like advertisements ) Then you will liable to pay to the patent holders (here x264), For more info http://www.mpegla.com/main/programs/AVC/Pages/AgreementExpress.aspx
http://weblogs.mozillazine.org/bz/archives/020400.html
and you could get a hard copy from MPEG LA by sending details to them.
Yes, you do, at least in the United States.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 13 years ago.
Improve this question
I need to create an application which will be reading and writing to files(C++/MFC). but I need the process not to appear in process monitor (which comes with SysInternals).
From the reactions of others, I now confirm that this seems "illegal". but that is the request of the client I'm dealing with. so, I guess I just have to satisfy the client's request.
One of the uses of Process Monitor is to find and remove malicious software that tries to hide from the user:
Process Monitor is an advanced
monitoring tool for Windows that shows
real-time file system, Registry and
process/thread activity. It combines
the features of two legacy
Sysinternals utilities, Filemon and
Regmon, and adds an extensive list of
enhancements including rich and
non-destructive filtering,
comprehensive event properties such
session IDs and user names, reliable
process information, full thread
stacks with integrated symbol support
for each operation, simultaneous
logging to a file, and much more. Its
uniquely powerful features will make
Process Monitor a core utility in your
system troubleshooting and malware
hunting toolkit.
I am not saying that what you want to do is impossible, rather that you are trying to do something that feels a bit dishonest.
That being said I would like you to consider the fact that you are trying to hide a process from a utility that was written to find anything and everything by folks that are a lot smarter than you and me.
I'll assume you're not planning to do anything malicious. If that's the case, it's important you don't hide your application from diagnostic tools. You can't guarantee your application is bug free. Even if it is, you can't predict its interaction with other applications. Because of that, you should leave it visible so other technical people can troubleshoot if something goes wrong.
Regarding your comment, "so, I guess I just have to satisfy the client's request" - not if it's illegal or technically dangerous for them. You need to protect yourself and them from bad judgment.
PM reads data at a very low level so to hide from it you have to actually take over certain NT kernel structures and methods to report different information to PM than what Windows itself sees. Doing this is platform and version dependent ( ie. Windows XP SP1 is different than Windows XP SP2 is different than Vista x64, etc.). It's nearly impossible to do correctly without creating an incredible number of system instability issues.
While it's not strictly illegal, every company that has done it and been discovered (which you will) has enjoyed lots of backlash and criticism from users and security professionals. Again while not explicitly illegal, the kinds of changes required can open severe security holes on the end users' machines. Should they have major system crashes or be exposed to hackers/viruses you may be legally liable for the damage.
Possible semi-legitimate (though I wouldn't want my name associated with them) applications you would want to keep people from seeing are DRM enforcers and nanny-cam style monitors for kids and errant spouses.
That said, I don't think your client really wants you to subvert such an important system. They likely want something less rootkit-like but they picked up the vocabulary watching "24" and have failed to adequately express what it is they want done.
My advice would be to go back to them for clarification. If they do indeed want something to be completely undetectable then you need to decide based on your own conscience whether to proceed or leave the client.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 9 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I currently use VMware workstation to create separate workspaces for various clients that I do work for. So for a given client I only install software needed for a specific job, and don't have to worry about software A for client #1 mucking up software B for client #2.
With an adequate sized hard drive this works well but I am not sure I am using VMware to its best advantage. The steps I go through when setting up for a new job are:
Do a windows update on a base VMware image that I have saved away.
Make a full clone of the base image and rename for the new job
Launch the new image and configure/install as necessary.
After doing this for a while I now have a collection of VMware images sitting around that are all at different levels of updates unless I manually go into each image and kick off an update cycle. And if there is some new tool that I want in all of my images I have to also go around and do multiple manual installs. But I feel secure in knowing that each image is self contained (albeit taking 10+Gb at a hit) and that if anything happens to a single image then an issue cannot propagate into any other image. (Note that I do do regular backups of all my images)
So my question is am I doing this the best way, or should I consider linked clones so that I only have to do a windows update or common application install on my base system? What are the pro's and con's of each way of organizing things?
In addition, although I try not to keep data files inside the Image's local disks I find that the share to my local hard drive seems very slow compared to the Images file system, hence I tend to leave work inside the image. Should I force myself to not leave data inside the image? Or put another way, how much corruption can a VMware image take before any single file in the images filesystem becomes inaccessible?
Edit
Some thoughts I have had since posting this question
With a full clone I can archive old work away and remove it from my primary hard drive
Link clones take up a lot less space than a full clone, but I am concerned about archiving a linked clone away somewhere else.
The time taken to make a full clone is not too significant (5-10 mins) and I am generally doing it on a weekly basis.
However I also tend to do a lot of "Lets see what happens with a clean install", especially when I am documenting how to install applications for the client.
I have found that my VMware images cause a lot of fragmentation on my hard drive, so I also end up doing a lot more defrag that before I used VMware. I am not sure if using linked clones would reduce this.
I'd stick with your current system. In this situation, having isolated images gives you a lot more flexibility. It might cost you some more time doing updates and installs, but it will be worth it. And that's mostly stuff that you can have going in the background while you do other things, so if you manage your time well the time spent on that should be negligible.
Also, it's probably a good idea to keep your images on their own disk or at least on their own partition. If you do that it shouldn't have any effect on fragmentation on the rest of your system.
This is really going to depend on what kind of and how many projects and clients you have. Building a new VM for every client doesn't scale well if you have dozens of clients, since you'll have to be keeping them all up to date.
I'd be wary of keeping files spread between the host and VMs as you mention though. It's better to keep all your dependencies in one place.
I'm interested to see others' VM strategies here too.
I work for CohesiveFT, the guys who make the Elastic Server platform - so I am biased - but we use the platform to deliver projects to partners and customers. It allows us to set up assembly-time components for different projects and then build them into VMs on the fly for VMware, Parallels, Xen and EC2. The service has a tagging feature so you can tag software packages, server specifications and templates and keep your assets straight.
You can also create assembly portals (think a content management system for assembling virtual servers) which you can control or even let customers have access to customizing their own virtual servers.
http://www.elasticserver.com
You can have a quick browse at virt-manager, just as an aside as to whats also there.. you never know, you might even like it..I think having such a tool can give you a bigger kick in performance and less disk defrag issues.
You would have to go for a steep learning curve and the conversion time to make it all work perhaps.
If updates is your main time spender, try WSUS, nothing related to VMs itself, but it helps with deploying windows updates.
Lastly, check Hanselman's blog on Invirtus, Virtual Machine Optimization at its best.