security for my software

[garrapatita]

I need an idea to make my trial software. It's not only a trial because I need ir for my tesis. The problem is this:

Last year the teacher who was in charge to correct these apps sold and application to a super market therefore I don't want this to happen to mine. Could someone please suggest me a security mean.

I was thinkin about a way of extracting the name the user gave to windows during the setup and making the app unable to work with other names... what can you tell me about that?

[nemaroller]

Well,

if you have to give it to your teacher for them to correct it, they can install anywhere, even if you tie it into the LOCAL USER...
because you're most likely giving them the project, or the EXE, either way, that scenario won't prevent them from theft.

You could have the APP register with you, via a website, that would then proceed with the installation. Your app would generate an encrypted key. They would visit your site, and ask for the key. Then a java applet would do the necessary conversions, and a second key would be returned. The key the website gave would be time-sensitive, and would expire within hours or days... Then if the same user tries to obtain a new key, it will say, 'sorry, you already got a key, call or email so-and-so for a little one-and-one'

sorta like what I did here...
http://www.beysoft.com/Registration.html

[garrapatita]

That thing you said it's exactly what I wanna do when I release the software... Have you got any example of how can I do it??

[nemaroller]

Are you giving the professor the source code?

If you are, it still might not help you...

[garrapatita]

well, I'm aware that if you give me the code the teacher would be able to decode your site. So if you agree to help me, I'll mention you in my about section but if you rather I won't mention you at all.

[nemaroller]

I have no problems giving you the code, I would just change one line and the prof would never be able to figure it out...

But, I thought your intention was to disallow the prof from thinking, 'hey, this is a great app, I'm gonna go sell it to some supermarket', and having him/her sell it without your consent or against your will. In the real world, that's illegal. But no matter security features you encode into the app, if part of the assignment is to hand over the source code (which I assume since he/she would be grading it), then you've basically given the jesture the keys to the kingdom....

But if you don't have to give the source code (or all of it), then I'll be more than glad to help you with it...

[garrapatita]

I'm affraid I have to give it completly. So I understand you will not be able to help me but thanx a lot for the idea... I have a clarer idea now thanx to you... =)

[SteveBausch]

Unless your educational institution has sold it's soul to a corporation, you should be able to copyright all your code, simply by noting as such in all the modules, etc.

You could also throw up a splash screen that declares your copyright.

Does he have to be able to read your code? You can always remove all the indentations, whitespace, etc.

And there is always the tactic of changing the variable naming to one or two character names.

[garrapatita]

thank you steve but could you please be more explicit, cos i didn't get the lasts two paragraphs... sorry =(

[BuggyProgrammer]

he meant making it hard for the instructor to mark your code, but VB auto-spaces your code for most stuff.

[RobIII]

You better create a one-way-hash. Then have the app verify correctness of the key each time it starts up. I'll try to explain:

When the app first starts up, you enter a name. It connects to your website wich creates a hash (using MD5 or SHA or whatever with a secret key). This hash cannot be reverse-engineered or decrypted (that's the nature of a hash, although it could be brute-forced but that would take ages).

Send the hash back to the client, and next time have it send hash and name. At your server check if name is known and if hash is valid. If you don't know the name or the hash is invalid, deny access.

The weak point is ofcourse if you give them the source. That way they could rip out the entire check and make it work anyway. But if you just give them an executable this will be the next best thing to uncrackable (but I won't deny it's uncrackable).

As always, software (even .exe's) can be reverse-engineered and be altered to skip the entire check at all. But it'll be a lot harder to do. To explain, assume you have a function that does this:

VB Code:

Private Function CheckCodeValid(strCode as String) as Boolean
  ...
  ...
  blah blah, lot's of complicated code here
  ...
  ...
  connect to web...
  check for validness...
  ...
  ...
  if a=b then CheckCodeValid = [b]True[/b] else CheckCodeValid = [b]False[/b]
End function

Now, if I were a cracker I wouldn't give a rat's *ss about the check, and just alter the .exe to always return true, like this:

VB Code:

Private Function CheckCodeValid(strCode as String) as Boolean
  ...
  ...
  blah blah, lot's of complicated code here
  ...
  ...
  connect to web...
  check for validness...
  ...
  ...
  if a=b then CheckCodeValid = [b]True[/b] else CheckCodeValid = [b][COLOR=red]True[/COLOR][/b]
End function

Now, whatever it does, the code is always valid. So you might want to encrypt some datafiles with the same hash or so to make it even more secure. When there's an invalid hash, the data will be decrypted anyway, but it'll result in a whole different file than intended

Bear in mind that the app would need access to the web, and your server must be "up" 24/7....

Hope this is of any help.

Good luck

[faisalkm]

I guess if he is giving the code...then there is no way

[Feetstink]

Can't you just sue his ass if he tries to sell your stuff? hire a lawyer, take his money and send some of it my way. As long as you can prove you had the code before he did, and that he received that same code from you before he sold it, you should be able to sue him for more than he seems to be worth. Even if he changes the code before he sells it as his own, you'd have more than a strong case and besides, it'd be rather difficult for him to change it enough to be undetectable without totally rewriting the code and the logic.

[Simon_R]

why Dont you sell it NOW, ie Pre-emptive strike ?

[The_Jester]

This is a kind of cheap copyrighting, it has been used here (Canada) and in the US to prove ownership without actually having received a copyright from the necesssary govt offices which can be relly expensive.

1: print all code
2: take and print screenshots of all screens of the application
3: make a digital copy of all of the above (CD not a floppy)
4: place all of the above in an envelope
5: address envelope to yourself and send it registered mail you usually have to fill out a declaration stating what the package contains, via the post office NOT a courier company!!!! and request a delivery receipt
6: keep the receipt the post office gives you for sending the registered package
7: when the post office delivers the package sign for it and get a sign off receipt
8: keep the notice you receive as proof of delivery from the post office
9: put everything in a safe place
10 : !!**NEVER OPEN THE PACKAGE**!! <--- very important

now if the teacher sells the application take your proof of intellectual property to a lawyer and sue everyone..

teacher (theiving , those who can do those who can't teach and steal from those who did do, in this case anyway),

school (if he has done this before they know about it, if he was not fired they condoned it thefore they are liable), and

the company that bought the product (they didn't perform due dilligence in determining ownership of the property before purchasing; it's a a stretch but you might get them)

cheap! easy! and as long as you never open the package it's pretty well fool proof

remember...

NEVER OPEN THE PACKAGE!!!!!!!!!!!!!!!!!!!!!!!!

[nemaroller]

Jester, that's simply brilliant...

[Si_the_geek]

unfortunately it depends on local law... I know in the UK any software that you develop for coursework is technically owned by the organisation that the coursework is for (ie: school/university etc). So they have the right to sell it, but you don't

[Knowledge_is_Et]

Well, Here is an idea!
http://www.vbforums.com/showthread.php?threadid=186729

In there is code that will get the ID of the computers Hard Drive. After the first run, it would check that and put it in a resource file (make sure other things are in the file as well, make it look important, so the program will not run without it.) then everytime the program is run, check the resource file and the HD ID and if they don't match, return an error and quit. I'm not sure, however, that you can edit a resource file directly from VB, so you may need to find some other file that is important, but can be edited by VB. Good luck!

[Slaine]

NEVER OPEN THE PACKAGE!!!!!!!!!!!!!!!!!!!!!!!!

If someone did copy your idea then wouldn't you have to open the package to prove you owned the copyright.

I've heard of this process before but my recolection is that it wouldn't stand up in court - you could have posted your self a non sealed package and then later (ie after the product was released by the other party) put the contents in and sealed it.

In fact that sounds like a good way to earn a buck - I shall send myself a package ready for the next version of Windows

[JasonGS]

Originally posted by Slaine


If someone did copy your idea then wouldn't you have to open the package to prove you owned the copyright.

I've heard of this process before but my recolection is that it wouldn't stand up in court - you could have posted your self a non sealed package and then later (ie after the product was released by the other party) put the contents in and sealed it.

In fact that sounds like a good way to earn a buck - I shall send myself a package ready for the next version of Windows

You would have to open it, and if you won, future judgments could be granted by precedence.

You can’t send unsealed mail, but that’s not to say a lightly-sealed parcel wouldn’t make it through. You might have better luck in court if you had the sealed envelope notarized over the envelope flap or something to ensure that the envelope was really sealed on or before the postmark date.

You could also apply for a patent if it was something really spectacular; products are protected while the patent is pending, hence “Patent Pending” on 90% of the stuff you buy.

Most companies and some schools to make you waive all rights to intellectual property created on their equipment/time - so check into that before you attack, as rights to intellectual property are not constitutional, so you can sign those away!

[nemaroller]

But I did find a little snippet from Colorado State"

At a university level two situations often arise:

The copyright works created by students are owned by the student, even if created with University faculty/staff input or University resources. If the student's work is reproduced, modified, or incorporated into a publication, written permission from the student must be obtained.

The University owns copyrights in works created with University resources by University faculty/staff while employed by Colorado State University (see Section J of the Faculty/Staff Manual.)

Student's aren't employees, therefore, they are not bound by such limitations.

I would contact the student that was infringed and let him know..

[garrapatita]

thanx to everyone the ideas you gave me were very usefull... And about posting myself the letter I'll think of it, but I'll never find out if she sells it... my last year classmate never did... but thanx anyway you are lovely people! =)