cthrall.com

My Requirements

I have been working on two types of software products: .NET desktop applications, and Apache/PHP/MySQL web applications. The .NET applications will be node locked using the MAC address of the computer running the software. The web applications will also be node locked using the MAC address. In addition, they will be licensed on a per feature and per connection basis.

Activations over the internet are becoming more common, but they have their own issues. For one, many of our customers are going to be in a corporate environment, which typically involves being behind some sort of firewall or HTTP proxy. Microsoft’s Windows activation provides users a way to activate via telephone, but we’d rather not do that. The end result is it will be a requirement that the user be able to download a license key or file, or have it sent via e-mail.

Note that I only evaluated these products for .NET and PHP support. As I started looking into this, I found that there are really two categories for copy protection software: simple obfuscators and “kitchen sink” licensing solutions. What’s interesting is the products that provide obfuscation and encryption for interpreted and byte code languages are starting to provide some level of licensing, usually a simple node locked MAC address scheme.

Since none of the “kitchen sink” copy protection products do both .NET and PHP (that I could find, anyway), I am leaning towards using two different obfuscators that support node locked licensing.

HASP

We evaluated HASP, by Aladdin Software (http://www.aladdin.com). HASP provides both code protection/obfuscation and copy protection for native code and .NET (it might support Java as well, but we didn’t evaluate that). HASP will support dongle-based copy protection as well as software-based activation. If you are really paranoid about somebody copying your software, buy HASP and make your users plug a physical device into a USB port.

HASP will handle everything for you using the software as a service model. You can either host the HASP activation server at your location, or pay Aladdin a subscription fee for each activation.

All this comes at a price. HASP is expensive. It’s a huge product, so installation and configuration are not trivial. And as it doesn’t do PHP obfuscation, it would just be one piece of the copy protection puzzle for us. But if you have a C or .NET app, you should take a look.

LM-X License Manager

LM-X (http://www.x-formation.com) seems to be a lighter version of HASP. No dongle support, but they do provide a SaaS model for license activations. Like HASP, you need to run SQL Server to store all your customer and license information. HASP seemed more polished but is more expensive than LM-X.

LM-X does have an interesting feature: the ability to create reseller objects and have products under the reseller with different pricing. I didn’t look for this feature in the other products, so I’m not sure if it’s there.

SolidPHP

SolidPHP (http://solidphp.com) looks very promising. It handles everything you need to sell your PHP application over the web, from payment processing to customer and license management. There’s even a free version. However, I could never get it to work for me. The SolidPHP guys were helpful, even though I was just using the free version, but there is very little documentation and for some reason the license files I got from the SolidPHP web site never worked with the IonCube obfuscator they are using. I made sure to try it on my XP desktop, just to make sure it’s not some issue with Windows 7 and 64-bit. I’ll be trying the latest version when it comes out, but after the initial experience I am a little wary.

Introduction

So you’ve written the next great killer app. It’s going to be huge. iFart huge. But this is a .NET desktop client or PHP server product. You don’t have the advantage of a locked platform like the iPhone. You need to implement your own copy protection.

This is written with the assumption that any copy protection can be cracked eventually. Hackers have been cracked the copy protection for computer games for years. You can’t prevent your software from being copied if somebody really, really wants to. However, for our purposes, it’s probably much less likely for a cracker to spend large amounts of time trying to crack a niche business application.

Copy Protection != Licensing

Licensing is defining how you want to license your software. Copy protection is implementing controls or DRM to enforce that license. Sometimes you purchase a license for a program. Sometimes you purchase a license for a feature of a program. I’m not sure how many versions of Windows 7 there are, but when you purchase a license for Windows 7 Starter, you’re not going to be able to run Windows 7 Ultimate until you give Microsoft some more money.

When you purchase a license for a desktop application, you’re usually purchasing a license to use all the features of that application. If the vendor wants to license desktop apps on a per feature basis, or have some other way to up sell the customer, they will usually provide different versions of the application and charge accordingly.

Server applications sometimes license on a per connection or even per CPU basis. You have a license for n number of database connections, and if you go over that, any more connections to the database will be refused.

Copy Protection Mechanisms

Floating licenses are a pool of licenses that live on a license server somewhere. When a new instance of a program is started, it talks to the license server and tries to allocate a license from the pool. If all the licenses are taken, you’ll have to wait. The advantage is the licenses are not locked to a particular computer, as they are with node locked licensing.

Node locked licenses are usually locked to the MAC address of the network adapter where the software is being run. When the software is installed, you either send the MAC address and get a license key in return, or the software itself sends the MAC address to a server over the internet, which responds with a license key.

Obfuscation

Nowadays, much of the software out being sold is at a higher level than native code. PHP code is text. You can open it in Notepad and mess with it. .NET executables are byte code. You can download .NET Reflector and disassemble it.

If you integrate or write your own copy protection in one of these interpreted languages, it will be trivial for somebody to circumvent your protection mechanism. Obfuscators encrypt your source code or byte code in a way that prevents attackers from looking at it. Like anything else, it can probably be cracked if somebody really wants to, but it will prevent the majority of people from trying.

Newer obfuscation products are implementing copy protection. We’ll read more about this later.

I might be repeating myself, just deleting this from our knowledgebase here and didn’t want to lose it.

Running Keychain on Windows

Running svn+ssh means we can use the users that already exist on the Linux server, and we’re tunneling our revision control over a secure connection. The downside is it requires you to login every time you connect to the server.

There’s a way to get around that. First off, make sure you have installed the OpenSSH and keychain packages in Cygwin. Then, run ssh-keygen. Don’t make the mistake of not entering a passphrase. You will now have a private and public key pair generated in ~/.ssh. Use scp to copy your public key to the server you want to access, like this:

scp id_rsa.pub username@server:.ssh

Then, ssh to the server and append your new public key to the authorized_keys file in ~/.ssh:

cat id_rsa.pub >> ~/.ssh/authorized_keys

Now, logout of server and try ssh’ing back in. It should ask you for your passphrase. This means ssh on the server side found your public key in the authorized_keys file and wants to make sure it’s you. Let’s make it even easier.

Edit (or create) a new .bash_profile in your home Cygwin directory. It should look something like this:

# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

# User specific environment and startup programs
eval `keychain –eval id_rsa`

That last line will run keychain, which is a wrapper for ssh-agent, with your private key. ssh-agent caches your ssh keys and will provide them to any clients (ssh, scp, etc.) who are connecting to a host that has your private key in the authorized_keys file.

Now try closing your Cygwin window and opening a new one. If this is the first time you’re running keychain since you logged into Windows, it will ask you for your passphrase. This is the password for the key you created with ssh-keygen. Enter it, then try to ssh to the server. You shouldn’t have to enter a password.

The final step: create a file named ssh.cmd in your Cygwin directory (c:\cygwin, for example). It should contain one line:

d:\cygwin\bin\bash.exe –login -c “/usr/bin/ssh %*”

Right-click on a folder in Windows Explorer, then click on “TortoiseSVN” and “Settings…” Click “Network” and put the path to ssh.cmd in the space for “SSH client.”

Now try an update. You’ll see a console window for a second as it authenticates, then your update should continue without prompting you for a password.