Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
How do you protect your commercial application from being installed on multiple computers from people who only own one license?
Do you think it's a good idea to have more than just a serial based scheme?
My general rules are
Huge deployments in commercial environments - Audit
Medium deployments of low value software < $1000 / seat - License key activation
Small deployments of high value software > $10,000 / seat - Dongles
The following method works well, as long as you have a public server at your disposal:
Serial based protection, user must enter a serial before using the program
On first serial entry, bind the serial to the MAC address and create an auth code generated from both of these values.
Check with your server to make sure the serial and MAC can be bound to eachother. Register the MAC on the server.
On each subsequent run, never contact the server again, but each time make sure the serial + MAC address matches their auth code.
If the user has no MAC address, allow them to run the program as long as they have a serial.
This gives you protection against someone simply copying the registry from one computer to another.
If the user tries to install with the same serial on another computer, the server will not allow you to bind the serial number to the MAC address because it is already bound.
It is not a perfect solution but it protects you 99% of the time.
Do you think it's a good idea to have more than just a serial based scheme?
Speaking as someone who has to install all kinds of software on all kinds of machines, do please spare a thought for the poor network administrators when thinking up your copy protection scheme. Please, please, consider network-wide installs when writing your installer - by all means include some kind of serial number protection, even make me phone up or contact your website and get an authorisation code to get a site-wide installer code or whatever, but please make sure your licensing code works. A good way to ensure your technically-superior-to-anything-else-on-the-market software doesn't get installed and used is to mess up the installer or have an install system that is simply too much trouble.
Use machine-locked licenses or licenses requiring activation to lock licenses to specific machines. Instead of developing such a scheme yourself, consider using a ready-to-use one like CryptoLicensing which supports these features.
DISCLAIMER: I work for LogicNP Software, the developer of CryptoLicensing.
We use a MAC address plus license file approach. We have the customer send us the MAC address of their PC, then generate a license file based on that MAC address. We then send the file to them via email and then they load the license file into the program. The downside is that if people swap out network cards and you'll have to issue them a new license. It takes a little more bookkeeping to make sure people aren't always requesting new licenses, and a little trust in your customer base that they won't try to game the system too much. Depending on that trust level, you can add layers of encoding or encryption into the file so they can't easily duplicate the file. On the plus side, you don't have to implement or maintain any type of authentication server.
You can always use a USB dongle if the software is worth it. Of course, all dongle manufacturers claim that their copy protection cannot be broken.
The advantage of this method is that it allows the user to use the software on multiple computers, but only run on one at a time, and it is actually not such hassle like some sort of product activation. The disadvantage, of course, is that you cannot deploy your application completely electronically. Even though you might think the opposite, actually many customers seem to accept the use of a dongle, at least in the field I work in. It's especially useful if you expect your customers to use (and also install!) the software in a place where no internet connection is available.
Edit: I overread the serial-based thing in the original question. Note that even that may annoy users more than having to put in a dongle, and it's easier for you too because neither the customer nor you have to deal with that numbers. Plug in the dongle and the app works. However, the serial-only method is by far the cheapest.
We use Orion from Agilis. For some of our users we do activation of node-locked licenses, for others they get their activation by a web page or email, and for others we put a license server on their premises. Orion covers all the bases we need.
Related
We have a large number of small devices deployed in the wild that communicate with a central server via a REST API. It will send a status update on a regular basis with some sensor data and will also ask the server if there are any software updates that need to be applied. If there are, it will download it etc.
I'd like some way to prevent my server API from being used by unauthorised clients. Here are the solutions that I have and the issues which I anticipate. This question is somewhat open ended but it is mostly a question of best practices for, what I think is, a common situation.
Keep a single username/password on the server and then use basic auth over https. This is simple but if I change it, I'd have to somehow change the credentials on all of my devices (which number in the low thousands). This is hard to do reliably. There's also a problem with how the devices are going to get the update without first changing their creds.
The second is to create a username/password for every device. Then I can update individual ones and manage them but there's a lot of state on the server and I'm worried about having this much data on the server.
Some kind of automatic key based system whereby the devices can ask for an expirable key and then use that for all transactions. If the key expires or is invalidated, that device can't connect anymore. This would necessitate some kind of id for the device which I'm not sure how to handle.
So, how would I do this?
Update
In our setup, we have assigned hostnames for each of the devices we're going to deploy created beforehand. Once the devices switch on, they will contact the server with their hostnames and thereby register themselves. The MAC address and other information is passed as part of the initial registration handshake.
So, the "unique identifer" which was mentioned in the answer (and comment) by Noksi is the hostname. This can be easily spoofed (since the hostnames have a pattern). However, when the devices first come online, we can get the mac and, after that, only refresh the token if the request comes from the same mac. This opens up the possibility of a fake registration happening the first time though.
If there is some way to uniquely identify each device (similar to a MAC address) then that would be the key. Keep a registry of the devices and each device would register with the server. the server would provide the device with a token and associate it (the token) with the registered device. the device uses that token to make requests. tokens can be made to expire and renewed as needed or can be black listed if needed. This seems to be similar to option 3 in the proposed options.
Good Day everyone,
I have a program design question (or questions) that I would love to get some feedback on.
Here is my situation:
I have
Computer A running software A
Software A has different states (idle, processing, printing,...)
Computer B running management software B
These pieces of software are on 2 different machines.
What I really need is a way for the computer running software B to be able to tell what state software A is in.
I would like software A to send some kind of signal (message) to software B when it's state has changed. I would also like software A to send it's state when software B requests it.
I have been thinking about using NService Bus or MSMQ between the two, but software B may be on a computer that is not on the current network (it may be in a 'Corporate Office' on their network). Is there any other way to achieve what I want other than the two ways listed?
Any help would be greatly appreciated.
Thank you,
Tim
Take a look at the Gateway feature in NSB. This will allow HTTP communication between sites and will support all of your scenarios.
This is how I see it:
Software A is a server
Software B (Management software is a client)
Good design shall always ensure that the server never sends something on its own. I would develop a simple HTTP based protocol (REST API or Web Services if you want to do it perfectly and in a W3C standard) to query Software A remotely. This way you can even develop client software that runs in a browser. The clients can connect through firewalls and proxies, so you shall just make sure requests for Software A are relayed appropriately inside your company.
I cannot read much about other constraints but if you only have to monitor a status, then this is definitively enough. To avoid polling you can use WS-Eventing.
I have a client company with a simple web application (Python Flask) and I need to add a phone notification functionality to it.
The main requirement is that the app should call users, play a certain sound file and accept some tone input ("Hello! This is an automated message from your WebApp account. You have a meeting with $John today at $5pm. Please press 1 to confirm").
The other requirement is that the solution should be relatively cheap and fast to market.
I have done some research already and it seems that there are a few consequent steps to achieve that:
Set up an Asterisk or a FreeSwitch server;
Set up a SIP account;
Write some business logic for the Asterisk server which allows to make calls and play sounds via a SIP account;
Write an API at the Asterisk server and expose it to the Python Flask web app.
Do I miss something here? Can any of the steps be omitted anyhow? Can I do it simpler?
the fastest way to get it working is to use one of the cloud voice services with speech synthesiser. Here's a short list to check out:
Twilio
Tropo
Plivo
Here I listed some details.
Those services charge you per minute, plus you may have to pay some monthly fee.
If you want to run an independent and standalone service, I would recommend FreeSWITCH instead of Asterisk. It's got reach integration possibilities and API. You will need to read the FreeSWITCH book in order to understand how it works and how to build your service.
I agree with Stanislav Sinyagin on the cloud based solutions, but I would add one more, Voxeo Prophecy. Tropo is from Voxeo, but they have offered Prophecy as a solution for a lot longer and it supports the open standards CCXML and VoiceXML. The advantage of CCXML for outbound notification applications is you have a lot more control of the notification process.
The Prophecy platform has excellent call progress analysis (CPA) which will allow you to determine whether a machine or a human answered and handle the call accordingly. For example, it does not make sense to ask a machine to "...press one to confirm". Instead you may want to leave a message that provides a call back number for the user to confirm with after they have listened to the voice message. The CPA can be used to leave a message on a machine at the correct time (when the greeting message has stopped) so that you do not get clipped messages in the voice mail. CPA will also allow you to provide detailed reports on who was notified and for those that did not it can tell you whether it was a bad number (received a SIT tone), a modem or fax answered, or ring-no-answer (pretty rare these days). These type of details can factor into your retry process for failed notifications.
The other advantage to using Prophecy and open standards is your application will be portable to other IVR systems that are VoiceXML/CCXML compatible if you ever want to migrate. Tropo, Twilio, and Plivo all use proprietary API's which does not allow you to move your applications to other services. Prophecy is also available as a software solution so that if you want to take it out of the cloud you can run it on premise. You can get a two port version for free to try it out.
There is excellent documentation on developing outbound notification systems on Voxeo's developer site. Take a look at the CCXML documentation in section F on Outbound Dialing.
Not sure which development languages you are familiar with, but if you are used to ASP.NET MVC there is an open source project called VoiceModel that makes it easier to develop VoiceXML applications. The other advantage of VoiceModel is that you develop your application once and it will run on any VoiceXML compatible platform and Tropo. They are currently working on adding outbound notification support in this project that will work for both Tropo and VoiceXML.
Third party solutions listed are your easy choice. Running your own asterisk is also suitable for what you want to do, but i think for only this much it would be overkill, from an operational perspective.
In asterisk, you can originate a call that has the 2 variables you need with an (basic-authenticated) HTTP request. You will also need some settings and a tiny dialplan. Setting up the SIP account is easier or more difficult, depending on the documentation from the provider. Most of them have detailed documentation for configuring asterisk (not so much so for freeswitch). Keeping the damn thing alive is what's gonna get to you :)
I have production environment, which is running on one server. But I need to run 2 instances of one software, each on "another" server.
Is it possible to imitate more servers on one real server for free? Without loss of computing power and network flow in/out of the real server?
EDIT:
In another words: I want to run two instances of the same software on one machine.
And then I need to use some function that transport some subinstance from instance1 into instance2. But this function is only possible to use when instance1 is on another server than instance2. So I need to imitate that one of both instances running on local is on different servers.
I'm making an assumption that you are using Windows, in which case you could use a Hypervisor like Hyper-V however if you have only purchased one license of Windows you may be fairly limited in what you can run in a production capacity.
If you mean that the software you need to run only has one license you typically are not allowed to virtualize it either, so it seems like the answer is legally you are not going to be able to do much with just one license, however my assumptions may be all wrong, your question wasn't clear enough.
Is there a replacement technology for TAPI that supports third-party call control (3pcc)?
I want to provide the following 3pcc functionalities in an application:
Outgoing call:
User clicks at a button in the application.
The user's phone goes off hook, and the callee's phone rings.
The callee's phone shows the phone number of the callee, not the phone number used for the application.
When the callee picks up the phone, the connection is established.
Incoming call:
When user's phone rings, the caller's number and the called number are sent to the application.
The application evaluates the numbers and shows e.g. a customer record.
In the past, I would have done this with TAPI, but it seems that Microsoft does not actively develop TAPI any more (even though TAPI is supported with all current Windows versions, up to Windows 7). Therefore, I am searching for a technology that is more likely supported in the future by the majority of telephony system providers.
I am aware of CSTA, which could be used to do this, but this also is a pretty old technology and not very widespread (it has 100 times less Google hits than TAPI, for example).
I am also aware of SIP, which does not have direct support for 3pcc features, but there are ways to work around this:
For outgoing calls: use application's SIP endpoint to connect to the two phones first, then connect them by making a kind of "conference call".
For incoming calls: use SUBSCRIBE and NOTIFY and dialog event package.
Problem is that the procedure for outgoing calls is very clumsy, and the called phone would not display the correct phone number (i.e. the caller's number) when ringing.
Furthermore, SIP is not a single standard, but a collection of many different RFCs, and it seems that telephony system manufacturers only implement parts of those RFCs, and there usually is no good documentation which parts are implemented.
So, my question is: is there any other telephony integration standard that
supports third-party call control, and that can be considered as a widely supported standard in the foreseeable future?
I'd suggest you consider CSTA3.
ECMA CSTA3 is a comprehensive standard for 3rd party telephony call control far superior to TAPI in detail and implemented by several vendors. A web service definition exists for CSTA.
See ECMA CSTA 3
I can highly recommend the standard but would suggest you carefully consider if the target vendor supports the CSTA standard as you require.
The answer to the OP is yes. A couple years ago I was trying to do TAPI work and had all of the same issues as everyone else. Rather than using local hardware and drivers, I found cloud services which do everything requested in the OP. I won't mention a specific service unless someone PM's me. But my recommendation is to go off the standard path, and stop beating your head against the TAPI wall. HTH
stop beating your head against the TAPI wall
That would be nice. PM's are however not possible here TonyG. I would love hear about your cloud service experiences. Without getting specific, do you really mean call control over my desk phone is possible from the cloud?
Try Esna Ilink For Cisco Or Esna Ilink Pro. This product is Platform Independent and will work with any thing including TAPI and CSTA.