Support

If you have a problem or need to report a bug please email : support@dsprobotics.com

There are 3 sections to this support area:

DOWNLOADS: access to product manuals, support files and drivers

HELP & INFORMATION: tutorials and example files for learning or finding pre-made modules for your projects

USER FORUMS: meet with other users and exchange ideas, you can also get help and assistance here

NEW REGISTRATIONS - please contact us if you wish to register on the forum

Users are reminded of the forum rules they sign up to which prohibits any activity that violates any laws including posting material covered by copyright

Serial Registration/Activation Thoughts

For general discussion related FlowStone

Serial Registration/Activation Thoughts

Postby Perfect Human Interface » Sun Aug 17, 2014 9:00 am

Hey, so... this subject again.
I'm working on a couple of plugins that I intend to sell for a small price. I've been weighing my options on how to work out a purchase/activation mechanism.

Some key points:
-I have no intention of locking out "hackers," "crackers" or "pirates." If they want to crack the thing they will do so one way or another so there's no point even trying to prevent that.
-This topic isn't about the algorithms involved in encrypting/decrypting and such. I can figure that out later.
-Yes, I know I could just give it away free and then beg for donations, but I've already decided against that.

What I DO want to do is provide a very simple password registration process that will offer a thin layer of protection, just enough to discourage people from simply handing it out to their buddies like it's nothing.

So the idea of how I'd like it to go is they buy, their payment details hit server side code, they receive an email with an activation code generated based on their email address. Then they'd just type in their email and the code in the plugin and it would be unlocked.

The clear issue here and the main point of this topic is that I would like there to be just one extra layer of protection involved somehow, because it would be so easy to buy the plugin and then post your email/code on some internet forum for all to use. But I don't know of a simple and unobtrusive way to do it.

There are the HDSerial and MAC address values available. But both of these are flawed solutions. People change hardware, move files, and I want to avoid web-based activation if possible.

Another idea I've had so far is also flawed. If I could generate a code that was linked to the current time/date, and then make it valid for only say 48 hours (the buyer could send an email to request a new code), that could limit widespread sharing. But in order for it to work, either the buyer's system time would have to be assumed accurate (and they could simply change it if they knew), or it would have to access a web server.

At this point I'm just looking for ideas. I want it to be quick and painless for the end user, and just barely secure enough to make someone feel like they'd have to make an effort to give it away for free. Any thoughts are welcome. Thank you.
Perfect Human Interface
 
Posts: 643
Joined: Sun Mar 10, 2013 7:32 pm

Re: Serial Registration/Activation Thoughts

Postby CoreStylerz » Sun Aug 17, 2014 9:26 am

My protection is hardware based, and server side checked.
User just login with the plugin and a php script automate the process.
I use HDD serial as machine code, so it solve the issue of having key sharing. (and also user account does it in most cases).
The only problem of HDD (better than mac address since if it's a mobile, they migth also use a 3g usb modem that make it change) is that isn't for real the HD serial but the partition ID.
This makes the code un-working when the user make a clean install.
To solve the issue there are different ways. Actually i support manually these (erasing old registration from DB) checking all registration using a database.
Another solution i will implement is the ability to "blacklist" old keys for the user (as unique ID) when a new machine is prompted.
With your server script you can limit for X machine doing so, just use DB to record registrations in order to make your script able to check always the behave of your customers.

For better security code is passed in Audio (with DSP) and calculated inside it at samplerate (constant).
The code also implement big numbers/string that are caught from the server. U can use long random numbers, order numbers, transaction id's... etc etc.

It's hackable? oooh yes.
But a lot harder to crack compared to green based stuff (u simply use Hxd) since altering memory will not solve anything. Instead nop/nod can crack this or attacking the server side script. (but if well done the script will never reveal anything useful for them also if they broke first steps or sql inject your db)
Need my support for app development, website or custom scripts?
PM me if you are interested.
Experienced Java, J2EE, PHP, Javascript, Angular, Cloud Solutions developer.
User avatar
CoreStylerz
 
Posts: 327
Joined: Sun Jan 22, 2012 2:19 am
Location: italy


Return to General

Who is online

Users browsing this forum: No registered users and 70 guests