I have an application I want to protect by requiring my users to register.
I also want to ensure that they can't install on more than two machines.
To do this I need to know where to find a unique hardware ID number, and utilize that in the registration code.
All I need to know is how to get that number using code.
As others have pointed out, there is really no such thing as a unique hardware ID. Others who have come before you have tried to use various things (e.g. motherboard serial number, CPU serial number, HDD serial number, MAC address) or combinations of those things, but they are all problematic in their own way. Serial numbers are not always returned by all drivers and even if they do, they can easily change if the hardware is upgraded or replaced. Also, the serial numbers can technically be repeated by different vendors and especially on virtual machines. MAC addresses are problematic because there are often multiple and they change often, especially with VPN's. Also, MAC addresses are often duplicated by multiple machines using the same VPN software. You could use the Windows Installation serial number, but this can also be duplicated and changes with OS upgrades. The simple answer is, when possible, don't. If you must do something like this, it would be better to have a way to programmatically mark each computer that your software is installed on by writing an encrypted GUID to someplace on the harddrive and provide an easy mechanism for your support staff to retag any computer at will.
Related
Scenario: A critical computer system is operator-controlled via standard USB keyboard and mouse. Also, there is a DVI-monitor connected to view the operator-targeted GUI. The computer system runs a soft-PLC system based on Windows 7 Professional or, alternatively, Windows Embedded Standard 7 (the "system software").
Question: Is there a software solution, to detect the loss (disconnect/failure) of USB HID-devices such as the keyboard or mouse, and the single DVI-display? This is important, since the critical system can no longer be expected to function properly, without the operator able to manipulate it or see displayed content.
Own considerations: This likely requires low-level WINAPI calls, which is fine. I am thinking that a windows service might be constantly seeking to enumerate the number of keyboards and displays - perhaps even identify them via model or serial number. If this enumeration and/or identification reaches zero or fails entirely, the system-software must of course react fast and appropriately (i.e. go to fail-mode or similar).
As far as I see it, this is general issue with all critical operator-controlled systems. Question is then: Is there already software or hardware for this in existence perhaps?
Note: Operator is always human.
Alas, as for an answer this isn’t going to be much more than a “read the docs” plus some links... Sorry.
First, MSDN documentation.
RegisterDeviceNotification
Detecting Media Insertion or Removal
Talking to USB devices, start to finish (Windows Store app)
I found a C# class on CodeProject.com that does this; the accompanying article is pretty good.
Detecting USB Drive Removal in a C# Program.
I admit that the last time I did anything like this was some years ago, and only for CD notifications. I’ve since lost the code (both my primary and backup hard drives failed within days of each other, LOL).
I am currently working on an application which will audit computers, and one of the things that it is mandatory for this app to achieve is to get the license key from the install of OEM windows and Retail Office, in order to retain this information for future purposes, such as re-installation and move from one machine to another (this part is more for office).
The requirement here is specifically NOT to use any apps that already find keys, this is a BIG no no for the project.
The goal is to have a comprehensive audit of the user's PC:
hardware info, software installed, user account name, pc name, domain currently used, workgroup, antivirus used, running processes, startup processes, and LICENSE KEYS. And it has to be custom tailored for this specific purpose, so retail apps are instantly out of the question.
Now I am very confident I can do everything myself. Frankly, I already did 50% of this. Where I am stuck is finding where the license keys are stored within windows.. It has been eluding me for a week now.. Internet searching only refers me to sites that offer the easy and lazy option of using a pre-made key finder.
Initially I thought that these would be somehow squirreled away in the registry, but a plaintext search of my own personal Office key returned a great big nothing. Which leaves me to wonder if these keys are stored in the registry, are they perhaps in there as HEX? Or encrypted?
Or if not, where could they be stored?
The literally used keys are not stored on the computer.
However the registry contains a value which is based on the original key. There is software (which you stated is "a big no no") which you can use to calculate the original key based on these values.
If you want to do this yourself then you might want to take a look at bytes 34 through 42 from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\DigitalProductId (for windows). Office uses something similar.
I have a downloadable Ruby client which users can install on various devices they own. The client just runs every so often and sends various data to a server.
I would like to be able to uniquely identify each of a user's devices so that I can tell which device various request originated from.
The ideal identifier would exist cross platform so that I can use is on OSX, Windows, Android etc.
It is not necessary for it to be unique among the set of all computers, just unique among the set of a single user's computers.
I would rather not write my own identifier to the file system if that can be avoided.
The identifier should persist. Permanently if possible.
What is the simplest way to do this?
With the sysinfo gem, using sysinfo.to_s for example you get strings like ruby-unix-osx-i386.
But that would not work if a user has two machines with the same architecture. Also I'm not sure if sysinfo supports platform like Android for example.
Thus far, I haven't found a satisfactory way to do this without writing to the users machine.
Currently, I use the UUID gem to write a 36 char unique identifier to the filesystem and then read it back whenever I have to.
Another option if you are using > Ruby 1.9.2 is to use the SecureRandom.uuid method which does the same thing. This method is not available in Ruby 1.8.7 however.
I have written a software which I would like to bind to mac. Is there any specific algorithm to bind mac address with my software? Thank you for help !
Edit:
I want to provide serial number according to user's mac address.
The comment above is right - the MAC address is widely used for node-locking, but it is a poor choice as it is easily changed in OS.
A more secure approach is to use a combination of hardware and software system parameters, such as hard disk ID, system name, user OS login name, CPU ID etc.. The selection available will depend on the specific OS and programming language you use.
However, to avoid problems down the road, I'd suggest you think about the following:
How do you obtain the system parameters? If you ask the user to provide them there is opportunity for human error, such as entering a '1' for an 'l' or a '0' for an 'O'. Then the license won't work and the user will be inconvenienced.
What if the parameter you lock to changes, say if the user upgrades their system by changing a piece of hardware? Will it break your system and need the user to request a new license from you?
What if the user wants to move their license to another system, or to a new machine? Can your licensing system allow this without making it easy for the user to run one license on both the old and new systems?
These are the kinds of issues that cause home-built licensing systems to annoy legitimate users, and not be very secure against would-be hackers.
Commercial licensing systems should of course have dealt with these and other issues already.
Write MAC Adress into a kind of license file.
On startup read the MAC-Adress and compare it with configured.
If not equal --> stop with error.
To create a unique serial number out of a mac address you have to apply an algorithm to macaddress. There are some comercial tools for that for you professionally.
Some thoughts to licensing can be found here and here
I take it you're looking to achieve some sort of node-locking of your app to a specific device. If so, you might be disappointed to learn that the MAC address is not always a persistent value on a device. In fact, some devices have multiple MAC addresses, so it's not a particularly reliable value to use when looking to find a persistent hardware ID to bind to.
Our solution for Node-Locking Licenses to a device at LicenseSpring (we specialize in this sort of stuff) is that we generate a device fingerprint by hashing the serial numbers of some of the hardware we read on the device (such as the CPUID + BaseboardID + SystemDiskID). When the end user retrieves the license key, they use that hash along with the license key to perform a license check, which is computed on the fly. The license key is set to only be usable on a finite number of devices, so if another device tries to use the license key, they will compute a different hardwareID and be blocked.
So long as you're hashing those serial numbers in the same way, you won't run into any trouble...
You CAN store information in the key itself, such as product info / device info etc.
but I would also advise against that. Mainly because there's only so much info that can fit into a key, and then it makes it quite easy to reverse engineer.
Instead, I'd suggest you use the server response from the online license check to send back license entitlements as well as signing the server response, and use that to control the state of your application.
I'm developing a commercial project on an ARM based embedded board with a custom Linux kernel on it, using Ruby. Target workspace of the project and the device is a closed-environment, no ethernet, inernet, I/O devices etc... I want to protect my code/program so that; it'll only work on the specific machines I let (so; people cant just copy and paste my code/program on to their embedded boards and run it w/o permission). This can probably done with the machine's MAC address tho; I don't have any experience on the subject. I guess, just a simple if(device.MACAddr == "XX:XX....XX") wouldn't be depandable (not to mention people can just easily delete the check from my code). I can't use some ruby obfuscators, which I found thru google, beacuse; the device doesnt run ruby-external-C-libraries or such stuff, only pure ruby code.
So; what are your suggestions, what type of approach should I take?
you can't really protect it, its hard enough protecting native code! and even then that basically fails if someone really wants to copy the software.
basically do very little if anything to secure it, its mostly wasted time and effort
This is isomorphic to the problem of DRM. You're giving a person both a lock and the key to that lock, and trying to stop that person from using the key in a way you don't like.
Therefore, I suggest using the same methods that other DRM users do: put your terms in the license, and sue them if they violate it. You need to use the law to enforce the other terms of the license, anyway.