[RESOLVED] [2008] Extract LOCAL MAC address

[briedis]

I have code that retrieves all MAC addresess:

Code:

        Dim NICs As System.Net.NetworkInformation.NetworkInterface() = System.Net.NetworkInformation.NetworkInterface.GetAllNetworkInterfaces()
        Dim s As String = ""
        For i As Integer = 0 To NICs.Length - 1
            s &= String.Format("{0}'s MAC address is: {1}", NICs(i).Name, NICs(i).GetPhysicalAddress()) & vbNewLine
        Next
        TextBox1.Text = s

But how can I extract only the local address?

For example, I take a Wireless adapters` MAC addres, generate a serial number, and the user disables wifi, and then I wont be able to retrieve the MAC in my application and validate the serial number generated form the wifi MAC.

[Kasracer]

Please don't even bother with this. Not only can someone disable their wireless card and have their software rendered useless but if someone changes their NIC it's also useless.

Look at it this way: If someone wants to pirate your software, do you think they're just getting a copy from a friend? Most likely not. The way in which most people get pirated software is by downloading a version from a website / P2P / torrent that's already cracked. This means that your protection will most likely hurt only your legitimate customers.

If you want serial numbers then just go with a generic serial number generator and use that. No fuss. No customers complaining it doesn't work when they replace a piece of hardware.

[briedis]

kasracer,
I understand that all, but I just need to prevent users from simply giving the application to his friends, etc.

The people range for this program isn't big, tipically they would be middle-aged women

So, for now, the main problem is to get only the local adress, because, I don't think it is being changed much ofthen But for laptops - wireless is being disabled/enabled pretty often.. its just a click of a button...

[Kasracer]

So, for now, the main problem is to get only the local adress, because, I don't think it is being changed much ofthen But for laptops - wireless is being disabled/enabled pretty often.. its just a click of a button...

Right, which means it is unreliable. I won't go on a tirade but I really do feel you're only hurting your legitimate customers.

So anyway, perhaps there is a better way of approaching this? A sure-fire way is to use a login system and require them to login to your servers each time it runs. It guarantees that no one else is running it.

Another possibility is looking at the Ethernet interface rather than the Wireless or the currently active NIC. Not sure how to do that though.

Yet another possibility is using another serial number, perhaps from a CPU or Hard Drive? You could possibly use the Computer Name but many people leave them as default.

[briedis]

Ok, maybe I'll consider taking the CPU or HDD serial number...

Thanks for the replies!

[dbasnett]

i think you are missing the point. there isn't much you can do in code that can't be cracked.

[keystone_paul]

i think you are missing the point. there isn't much you can do in code that can't be cracked.

To be fair, while the above statement is true, for most software you might develop you are unlikely to have a hardcore team of russian hackers trying to break your security unless you are looking at an application with a high license cost and thousands of potential users, and so some limited form of protection is still worthwhile if you are looking to protect revenue from your work.

(I was most gratified to find out that some software I'd worked on had been cracked by chinese hackers and was on sale in Shanghai market, but that did retail at $50,000 a licence so it would be worth people's while to take the time to crack the licensing model)

What is a possible option (which I think Microsoft use or have used) is to take say five pieces of info from the user's machine such as NIC serial number, CPU serial number, HDD serial number etc, and have your security code split into five blocks based on these five items.

So long as you can validate three of the five items of hardware you let it pass. If three, four or all five checks fail then you've got a suspicious system. That way if the user changes their hard drive and a network card they have no problem but if three of the five are different then there's a fair chance you've got a totally different system using the software.

[briedis]

Ok, I fugured out how to find Ethernet adapters MAC

Code:

    Public Sub getMAC()
        Dim NICs As System.Net.NetworkInformation.NetworkInterface() = System.Net.NetworkInformation.NetworkInterface.GetAllNetworkInterfaces()
        Dim s As String = ""
        For i As Integer = 0 To NICs.Length - 1
            If NICs(i).NetworkInterfaceType = Net.NetworkInformation.NetworkInterfaceType.Ethernet Then
                s = "Etherned adapter found and its MAC is: " & vbNewLine & NICs(i).GetPhysicalAddress.ToString
                Exit For
            End If
            s = "Nothing found :("
        Next
        TextBox1.Text = s
    End Sub

But the question now is, how many computers have Ethernet Adapters? In percents?
Imho 90%? Maybe for those 10% I can generate a random serial number wich will validate anyway.

I don't think the program I'm making will go further than 1000 copies...

[kleinma]

If you are going to use hardware to try to ID your customers to make sure they are valid customers, then don't use easily replaceable hardware parts like NIC cards to tie a license to a computer. That is just silly.

If you want to go this route because you expect many middle aged women will crack your software, then at least tie it down to something a little more permanent, like the CPU or mobo. Sure, you can replace a CPU, but it doesn't happen too often these days, especially in retail machines. The mobo is an even better bet. Did you know MS considers the mobo to BE the computer? As in your Windows license is tied to the mobo, and changing your mobo constitutes a new computer (with hardware failure as the exception).

Your logic also likely will tie them down to 1 single computer. Is your software a single computer license? What if your legit customer has a computer in the den, and a laptop they use around the house, and would like your app on both machines? You don't allow that? They need 2 licenses? or what?

I will just echo what other people in here are saying, you are only going to hurt the legit customers, and make them not want to use your software.

[briedis]

kleinma,

yup, logic is to tie them down to a single computer.
The mechanism would be like this: buy the software, resolve the generated serial code, email the administrator for retrieving the activation code. Because the mehanism wont be fully automated, people can just ask for another code, if they replace the NIC or move to another computer. OK, but this will rely only on people honesty

[syntaxeater]

Just an idea - the following is new to 3.0/5. You may want to check it out:
http://msdn.microsoft.com/en-us/libr...01(VS.85).aspx

Admittedly, I have not been able to spend time with this feature and can't provide any information beyond what is available from msdn. I do think it's worth a look.

[kleinma]

Just an idea - the following is new to 3.0/5. You may want to check it out:
http://msdn.microsoft.com/en-us/libr...01(VS.85).aspx

Admittedly, I have not been able to spend time with this feature and can't provide any information beyond what is available from msdn. I do think it's worth a look.

Did you just google and post a link? Because that is a link to info about developing against the Active Directory Rights Management Services SDK... It has nothing to do with retail application licensing...

[kleinma]

kleinma,

yup, logic is to tie them down to a single computer.
The mechanism would be like this: buy the software, resolve the generated serial code, email the administrator for retrieving the activation code. Because the mehanism wont be fully automated, people can just ask for another code, if they replace the NIC or move to another computer. OK, but this will rely only on people honesty

I am just telling you, if I had to go through all that to get some software working, it would be the last piece of software I bought from your company. I am a computer person, and it would be annoying to me.. If you are targetting non computer savy middle aged women, it will only be worse.

[syntaxeater]

Did you just google and post a link? Because that is a link to info about developing against the Active Directory Rights Management Services SDK... It has nothing to do with retail application licensing...

No, I went into object browser and attempted a solution rather than bombarding him with the obvious flaws whilst adding no new value.

Since I can't give him my object browser pane, I provided the msdn equivalent.

Also - he never said this was for the general "retail market." He could very well be selling corporate licenses.

[GaryMazzone]

Did you see this:

The people range for this program isn't big, tipically they would be middle-aged women

[syntaxeater]

Yes - middle aged women. Again, no one specifically stated "I'm selling single unit/off the shelf" software. I don't exactly have my MCSE, but I would bet "middle aged women" isn't the end all factor of how licensing and distribution is to be determined. Could be software for a women's fitness club and etc?

Sorry briedis - this forum isn't usually this brash.

[kleinma]

No, I went into object browser and attempted a solution rather than bombarding him with the obvious flaws whilst adding no new value.

Since I can't give him my object browser pane, I provided the msdn equivalent.

Also - he never said this was for the general "retail market." He could very well be selling corporate licenses.

Explaining to someone why their logic is flawed and will create more problems down the road is not adding no value...

Providing something to someone that has nothing to do with their issue is what I consider "no new value". I don't see a single thing related to VB in any of the documentation on your link. In fact I do see:

Developer Audience

The AD RMS SDK is used to create custom applications that encrypt digital assets and enforce term of use for those assets. Knowledge of the C++ programming language is required.

[briedis]

Yeah, I know its complicated, but I see it as the only way to prevent people from simply copying the program and giving to others.

The scope of this program isn't big - it will be a numerology program. In Latvian language, it will have all kinds of numerology calculators and something like a manual where you can read how everything is done (it'll have like 250 pages of text) So, you don't have many choices - you buy this one and go all the hard way till activating it, or buy a foreign program that probably wont have all the features...

[kleinma]

What you may actually want to take a look at is this:

http://msdn.microsoft.com/en-us/slps/default.aspx

[syntaxeater]

Explaining to someone why their logic is flawed and will create more problems down the road is not adding no value...

Providing something to someone that has nothing to do with their issue is what I consider "no new value". I don't see a single thing related to VB in any of the documentation on your link. In fact I do see:

Good reason for that, it's not specific to VB.

System.Security.RightsManagement

Instead of directly linking the objects that provide only member details; I attempted provided a link to a general overview. Sorry, you're right. I'll get in line with everyone else and start assuming things and regurgitate the post above me in more or less words.

As a consumer, your idea would be a huge inconvenience for me. I have had to replace parts on my computer in the past, not to mention... I buy a new one about every 1-2 years. I would have to call each time and really - it wouldn't take long for people to realize you just hand out new numbers. You end up with the same problem. The only chance your cost for supporting just increased since you've moved from "resolving" issues to "expecting" issues.

[syntaxeater]

What you may actually want to take a look at is this:

http://msdn.microsoft.com/en-us/slps/default.aspx

In other words, instead of using active directory - I use SLP server 2008?

...Excellent. Totally not the direction I was going given the details. :bravo:

[Kasracer]

Yeah, I know its complicated, but I see it as the only way to prevent people from simply copying the program and giving to others.

The scope of this program isn't big - it will be a numerology program. In Latvian language, it will have all kinds of numerology calculators and something like a manual where you can read how everything is done (it'll have like 250 pages of text) So, you don't have many choices - you buy this one and go all the hard way till activating it, or buy a foreign program that probably wont have all the features...

Did you develop this in VB.Net? If so, anyone can download it, change your code, and remove the activation. .Net wasn't really meant to be used in this way; it wasn't meant to protect your code very well but as a rapid application development framework.

I see nothing wrong with a serial numbers but tying it to hardware will give you headaches. Remember, you have to support it.

What you may actually want to take a look at is this:

http://msdn.microsoft.com/en-us/slps/default.aspx

Looks a bit large for what the OP was looking for. I don't want to further derail this thread so I'll stop here.

[kleinma]

In other words, instead of using active directory - I use SLP server 2008?

...Excellent. Totally not the direction I was going given the details. :bravo:

Who said anything about deploying a SLP Server? MS offers fully hosted solutions for those who don't have the ability or money to setup a licensing infrastructure.

It certainly is a more viable solution than your suggestion to tie into active directory for a windows forms app that is being sold retail to people to go on their non domained home computers...

I guess you are just taking offense to what I said before about your solution not being valid. I am sorry if you took it like an attack on you, I was just saying that in about 30 seconds of reading info in the link you sent, it was obvious it was not a valid solution.

[kleinma]

Looks a bit large for what the OP was looking for. I don't want to further derail this thread so I'll stop here.

It could very well be, but we all know licensing is never a simple issue. If it was, piracy wouldnt be the problem it is right now.

So back on topic, if hardware is going to be used to ID a machine, why use a NIC card when you can use something more permanent, like some motherboard information...

[Kasracer]

It could very well be, but we all know licensing is never a simple issue. If it was, piracy wouldnt be the problem it is right now.

I would argue that while licensing usually isn't simple, it really should be. Like I mentioned previously, most pirated versions of software get distributed by one group of people so folks just download the copy and they're done. The only people who ever have to deal with licensing and protection schemes are those who are legitimate customers. This fact alone makes me think that licensing should be as insanely simple as possible to keep up a good user experience.

Thankfully large companies are starting to come around to this thinking. Some blockbuster games have been released with literally no DRM and other services such as Steam are insanely easy to use and allow you to copy your application and run it anywhere regardless if you're online. Microsoft even loosened their protections on Vista after many had issues with it. I just hope the trend continues because I don't think it's fair that a pirate can get a piece of software for free that works better than the original.

[kleinma]

I agree it should be. Internet access is one of those things that helps a lot.

For my software, I require internet access. Customer puts in their ID/Password and it downloads and installs their license files in encrypted format and they can use the software. If they DON'T have internet or are behind corporate firewall, we furnish downloads of the license files on the fly on request (sent a download link to their email that is good for 48 hours), and some customers we even send a CD of the app with the license files included.

I may be in a bit of a better position, since our software is service based, and customers need to keep renewing annually to continue to keep the software current, as it uses time sensitive data.

There are plenty of ways around this method, but I think it keep the right balance of ease of use versus thwarting pirates that it has worked pretty well so far.

[syntaxeater]

Who said anything about deploying a SLP Server?

Who said anything about deploying? I said you had to use one, didn't say you had to provide one.

It certainly is a more viable solution than your suggestion to tie into active directory for a windows forms app that is being sold retail to people to go on their non domained home computers...

That, right there - this was not determined until much later (if it ever was).

So yes, given the context from which I was speaking based on the details provided behind your assumptions (the thing I've reiterated NUMEROUS times); I was referring to corporate licensing. In which case, rights management is a much, much better solution. No company wants to purchase software and have it phone home for licensing checks (putting their infrastructure at the mercy of your server's uptime). So instead of assuming trust, you enroll in the "rat out your employer" program that keeps everyone honest and you can still control the features you provide through rights management (giving them keys by email or phone to turn on aspects without interruption or downtime).

I guess you are just taking offense to what I said before about your solution not being valid. I am sorry if you took it like an attack on you, I was just saying that in about 30 seconds of reading info in the link you sent, it was obvious it was not a valid solution.

No Matt, it was a blatent attack. One that you could only justify by making assumptions and introducing your misinterpretations of what I posted as fact. I'm not offended; more amused by the irony the very thing you berated me for ended up becoming one of your suggestions. Because I'm sure that in some stange way, using cpus/mobos instead of NICs lead straight into a WGA-like SLP licensing server. Thereby justifying this thread's attitude towards me and my contributions.

[kleinma]

a blatent attack??? come on now.. I didn't attack you. If you think being attacked is having someone tell you that you are wrong, then there is nothing I can do about that.

Your suggestion was to use a technology that is designed to be implemented on corporate networks running Windows Servers and domain controllers, to provide fine tuned rights on all sorts of data and objects for members of Active Directory on the given domain. I don't see anywhere that it talks about using this technology to license commercial products. Please show me that, and I will agree with you that it is a viable solution.

[syntaxeater]

I don't see anywhere that it talks about using this technology to license commercial products.Please show me that, and I will agree with you that it is a viable solution.

The OP never said either way (another point I've made many times). In fact, that same question - I have proposed at least twice to you and others thus far. You will also notice that I didn't, and haven't, said anyone here was wrong for that very reason. And since I didn't know, I offered a general resource providing an overview saying "it would be something worth looking into." One of two things could have happened:

1. He looked at it and came to the same conclusion you did; that it was not for him.
2. He looked at it and it did suit his needs. This would be followed by us narrowing in on a solution and providing code.

Instead - you muscled your way in, started calling things wrong based on your assumptions of what he needed (before even letting him reply or atleast take a look). But it gets worse - you went on to suggest what is essentially the cousin of what you outright labeled as "nothing to do with this*."

At this point, I can only assume you are holding out in hopes that the OP comes in and says "this is a retail product" so that you can pretend you were right all along. The reality of that would be - you took your assumption, applied it to my wrong idea, represented it as your own and got lucky on a dice roll. All of this in response to "an idea" I asked the OP to "check out" that you wouldn't wait 45 seconds to form an opinion on until you realized you jumped the gun and had to save face by making it your own.

[kleinma]

All I can say based on what you have written is that you need to go back and re-read this entire thread from the start.

[keystone_paul]

C'mon folks lets not drag this thread down into a slanging match.

The issue of approach to protection is an interesting and worthwhile discussion worthy of a thread in its own right (after all it appears to the outside to be a discussion on network cards rather than copy protection).

My view on the situation is this

a) the original poster wants to prevent people from simply handing out an installation CD or iso of his retail product and letting other people install freely without any kind of barrier at all. A totally legitimate concern

b) while it is certainly possible for people who know what they are doing to circumvent any protection method by replacing the relevant code in your program, this is only achievable by people with the right technical knowledge, and only worthwhile doing for programs with a high potential user base. Hackers tend to focus their efforts on mass-market software and not niche products

c) any hardware-based control needs to rely on either an irreplacable component of a machine such as motherboard, or an approach that allows for the user occasionally changing components

d) restricting a user to one copy on one machine per license is perfectly reasonable. Most software works on that basis - I'm pretty sure that Microsoft wouldn't allow me to install my license of Vista on a desktop as well as my laptop

e) putting in place some kind of webservice call or online login to validate the user every time the program is run depends totally on people living in a connected 24/7 world. Certainly not an assumption that I can make for users of my software, and if there is no inherent internet/server requirement for the software for any other reason it means implementing and maintaining infrastructure that would probably cost more than the lost revenue from piracy!

[briedis]

Thanks keystone_paul, I tottaly agree with all you given points!