The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Securing your program

Hi, I have been selling my app online for the last year at a slow but steady rate. However I don't have any registration or security built into the program, the main reason for this is that I don't know where to start and what I should be implementing. Sounds daft I know but after struggling to come up with a solution I thought I should ask those who have been there.

In a nut shell I'm guessing I need to do the following:

I need to take the users details on first run and then submit them to a web based db?

I need to ask for a serial number? I have no idea how to implement this. I think I need something simple to start with as I am a newbie as far as encryption etc goes.

Anything else I need to know?

Many thanks.
Steve
Sunday, December 17, 2006
 
 
OK, something simple would be to take their name and email address and do some binary tweaking of it to make it a mess, then convert it to a string of letters and numbers. This will be trivial for hackers to reverse engineer and make their own key generators, but it's a basic scheme that will at least reduce casual sharing, but it also helps the user feel like they really bought something.

Later, if you want to make it secure enough so that no one can make key generators, then you can do a public key encryption scheme, but for now this simple one will meet your stated requirements.
Meghraj Reddy
Sunday, December 17, 2006
 
 
To fill out Meghraj's suggestion.

On your web site ask for their email address.
Add a secret word or number known only to you on the end.
Calculate the MD5 this gives you a long number.

In the program ask for the email address and the magic number. When they enter them add the same secret to the end of the email and check that it matches the magic number. If it does run the program.

Notes:
Use email address / zip code becuase people are very inconsistent on typing their name.

Lookup MD5 on wikipedia, if you need code email me, basically it calculates a unique number from some data. It is hard to work out the original data from the MD5.

The secret is to stop them realising you used MD5 and creating their own key.
Martin Send private email
Monday, December 18, 2006
 
 
Hi, Thanks for the suggestions. Should I send the registration data back to my server or is that considered naughty?
Steve
Monday, December 18, 2006
 
 
OK, well it's your server that has to figure out the key from the reg info. I would not require a net connection and make it optional to do it that way, asking for permission before phoning home. If they don't want to do that (sometimes the computer they are installing it on doesn't have a net connection), they'll need to visit your web site somehow and get the key that way. It's a nice convenience if you mail the key to the email address they gave.
Meghraj Reddy
Monday, December 18, 2006
 
 
Have a look at eSellerate.net  They do this and provide a complete purchasing system which you can integrate in your app. You need to do lots of obfuscation and misdirection if you want to thwart hackers. You'll find endless discussions on this here and in other forums.
Neville Franks Send private email
Monday, December 18, 2006
 
 
Back to basics.

What impact do you assess casual copying is having upon your business?
Architecture Astronaut
Friday, December 22, 2006
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz