Securing a Database Against Illegal Use

SteveC24

Registered User.
Local time
Today, 10:48
Joined
Feb 1, 2003
Messages
444
Hello,

I have now completed my database, and am selling it.

Before I do though, I would like to put something in it to stop it from being distributed freely.

I remember someone saying AGES ago that they make their users re-register with them every year or something....this would be fine, but I would need to come up with a way of allowing them to do it via my website, as I know I wouldn't like to wait to use software I had purchased a license for!

Any suggestions very gratefully receieved!
 
Steve,

If you follow the below link, it has a couple of examples where the database is restricted after 30 days of use, this is customisable.

Expire after 30 days

HTH

Andy
 
Thanks,

But I already have some date restriction code in there, which is unused (except in demos).

If someone purchases my database, I would send it to them on a CD, but then I want to make sure that if that person (PERSONA) gives it to someone else (PERSONB), I want to ensure that PERSONB is left with a useless product, as it will not work for him/her.

I have the installer program with a serial number in, but that is as easy to pie to get around.

Is there some way I can tie one database to one computer?
 
You could do a two-part registration. The first with the serial number as you have it. The second is a web activation. When it is first used, your app can check a local table to find out if the local serial number has been activated yet and if not ask the user to contact your website to register. That way you can make sure that a single serial number is only registered to a user one time.
 
Hello Pat,

Thank you very much for your help.

I think I like your idea.

Let me run through it in my simple (and deranged) way...

I sell the product, it comes with a serial number on the box - the user installs it, and enters the serial number into the installer.

Then, once the user opens up the database, it looks at a local table to find another serial number, and looks on the web to see if it has already been activated.

How would I get Access to look at the Internet? Sorry if I am being thick, but it's what I do best!
 
Steve,

You best bet would be to have a mqsql database on your site where the activtated codes are kept , and then some interface where it lookups up from the mqsql db to validate the serial number.

Don't know how you would pass the values between the two, I'm sure there must be something about this on the net.

Not tried it but I hope this helps in your quest.

Regards

Andy
 
Your biggest problem will be to prevent spoofing. What I might suggest is to allow a user 30 days to visit the web site to get a permanent key using a challenge/response method.

So here is the idea in general:

Your software has some numbers associated with it. These numbers have to somehow change with each copy, sort of like a product serial number.

Your customer's computer has some things you can look at. For instance, the serial number of the hard drive, the serial number of the CPU, or the serial number of Windows, all of which should be unique in some way or another. So you write some VBA code that, when you trigger it, provides the user with a bunch of numbers - the software product serial number and one or more of the other numbers above. Perhaps disguised in some way like scrambling digits or hashing before they are even published.

Your web site has a challenge/response page. You enter all of the numbers supplied by the little application on the user's computer. (You might have to do a web search for "hashing algorithms" and pick one.) Hash the user's responses using a formula known only to you. Reply to the user with the resultant hash value. The little app takes this number and does something to the user's registry. See help topics for SaveSetting and GetSetting for how to do this.

OK, here is the part that is tricky. You cannot distribute the source code for this registration app because that would let folks know what you are using. Binaries only for that app. But put the same computation in the app that your web page uses.

If your user registers, your web site remembers the combination of numbers for product serial number and whatever else you used. When your product starts on the user's computer, you try to retrieve the key you choose with GetSetting. You will have three possible cases:

1. No such key - you are in the 30-day trial period of an unregistered copy. It is up to you do to the date tests and decide what to do about that. Possibly test for a second registry entry that contains a date of first use. Always write a third entry that contains a date of LAST use plus a hash.

1.a No date of first use: Encode the date in clear text PLUS include a hashed variant of that date as a part of the same key. Save the key. Write the date of LAST use entry.

1.b Date of first use exists, hash is OK, "today" is within proper time limits, last use is earlier than today's date, hash is OK: Allow the use

1.c Date of first use exists, hash is OK, last use exists, hash is OK, date is outside of limits: Product trial period has expired. Here, be gentler than the next case, but refuse to run.

1.d Any of the following cases: (First use exists & hash is wrong; Last use exists & hash is wrong; Last use exists with good hash but today's date is earlier than last date; one of the two dates does not exist) - product registry data has been tampered. Barf all over the user.

2. Key exists and its value matches the computed hash - you have a registered product. Keep on truckin'

3. Key exists and its value does not match the computed hash - your user's configuration has changed. You cannot tell whether the problem is a hardware change or an attempt to pirate your software, but you know it ain't what it used to be.

Complain to the user that the product key (which, due to hashing, contained computer identification data) appears to be incorrect for the current environment, delete your old key settings, and advise the user they have 30 days to register correctly. Write the registry entries for date of first use and date of last use as though this was an initial install.

If you take this approach, it is incumbent on you to notify the user during initial installation that the product has a strictly enforced expiration policy if you don't register it AND that the policy is bound to some unspecific characteristics of the computer running the app. Further explain that changing out a hard drive, CPU chip, or certain other things will possibly require product re-registration.

Now, on the web site, when a registration combination is entered, you can test for duplication of product identification key with different machine identifiers. If a person tries to register a key that has been used already and the system identification information doesn't match, advise the user of a phone number to call in order to get the previous registration deleted. Of course, you will write down a lot of information about the owner when such a call comes in, because that person is now suspected of being a pirate.

And here is the final secret: The reason a person is involved is because you cannot trust the computer to forever get it right. At some point you want a human hand in the process when you suspect a breach of trust. Because, you see, trust is always and ultimately based on human judgement.

ALL TRUST MODELS start with the concept of "Does the system administrator trust client XYZ" as a basic question for security setup for all new systems. That is not (or should not be) an automatic decision the first time.
 
Had to throw this in...

"Peters Software" has an add-in module called KeyedAccess for sale at:

http://www.peterssoftware.com/ka.htm

This is an excerpt from that site:

"KeyedAccess is an add-on module for Microsoft Access that allows you to generate and validate 16 digit Reg ID/Product Keys, or to generate an installation-specific Serial Number on the end-user's computer which can be unlocked with a corresponding Unlock Code."

Although I haven't used his software, this is one that I am considering for use in the future; there was at least one other which had similar attributes, but I am unable to find it right now. Developer costs last time I looked were ~$300 USD, should double check on cost and version compatibility.

I am interested in your final decision.

Thanks
 

Users who are viewing this thread

Back
Top Bottom