[2005] Leak Protection

Hello. I am working on an application which I want to give to several people to beta test. I am hoping they can avoid giving it out, but I can't be too sure. I want to add some complex protection against leaking.

I already know how to collect various bits of data from the user's machine in order to verify it is them using it, as well as require a username and password (Which would be simple to bypass, unlike hardware information). What I plan to do is use a diagnostics tool to get the information then set that up on a server.

My question is: How can I make an application check a web server (Possibly a database on a web server) to see if the information is there. Say I have the username and password "Bob" and "BobPass" on my server in some fashion. I want the application to prompt for the U/P (Simple, dont need a guide on that) then run those variables to the server and see if they are in the 'list' of valid people. If it is on the server, it allows use. If not, it doesn't allow use.

If this would be better suited in another language, that's fine as well. (I'm most proficient with VB and C# though)

Any help would be appreciated. Thank you for your time.

Having done this kind of thing a few times, I would actually recommend using a third party licensing tool. These feature hardware locks, time limits and execution based limits, license extensions etc.

If you implement something yourself, you will have to confront all the same issues that commercial licensing systems solve. It's a lot of work and I think it's one of these occasions where a commercial solution makes sense.

Licensing over the web has it's own problems. If you transmit data over http, it's insecure. It'a slso possible to create a website that 'impersonates' your own site.

Your executable can be reverse engineered, which gives a hacker a representation of your software. That in turn exposes any defences you may have built in. So obfuscation is a useful defence, but nothing is ever 100% secure. You just need to raise the bar high enough so that hackers give up and move onto something easier.

Tools such QLM http://www.interactive-studios.net/products/qlm.htm or ExeShield http://www.exeshield.com/ are very good for this. QLM is not very expensive, ExeShield features obfuscation but is expensive. At the end of the day it all depends on how valuable your application is to you.

Awesome. Thanks for the links, I'll test them out. :)