ionCube Logo
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


 
Post new topic   This topic is locked: you cannot edit posts or make replies.    ionCube Forum Index -> ionCube PHP Encoder

IP/MAC License questions

Author Message
BSDguru



Joined: 24 Jun 2011
Posts: 9

PostPosted: Fri Jun 24, 2011 5:18 pm    Post subject: IP/MAC License questions Reply with quote

I'm evaluating ioncube currently. We'll probably use it for code protection, but I have some questions on the licensing features.

We have a product which is an appliance with web administration, but the device is often not on a public IP. Since anyone can set any adapter to any MAC or IP, I don't see how those would be very good security. We generate a serial number in our software; is there any way to tie the license to an alternate code or some custom method?

DT
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2788

PostPosted: Sat Jun 25, 2011 9:56 am    Post subject: Reply with quote

As your target device is unusual in that the MAC addresses can be changed, whereas this isn't normally possible of course, you might look to extra locking measures. You can store arbitrary key/value data in license files, and coupled with script based license checking rather than auto, this is great for extending licensing mechanisms. For example you might store a file path and inode number, and then have checking in PHP that verifies that the file as the expected inode number. You could check data from /sys or /proc, perhaps in /dev or /udev, etc etc.
_________________
Community Admin
Back to top
View user's profile Send private message
BSDguru



Joined: 24 Jun 2011
Posts: 9

PostPosted: Sun Jun 26, 2011 11:25 am    Post subject: Reply with quote

There's nothing unusual about it. Anyone who knows what they're doing can easily change a MAC in virtually any modern OS. It's a generic command in Linux, FreeBSD and OSX. I suppose you could store the expected MAC as a data pair. But a MAC address is not a secure way of identifying a particular machine in the last 10 years.
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2788

PostPosted: Sun Jun 26, 2011 5:10 pm    Post subject: Reply with quote

Quote:
Anyone who knows what they're doing can easily change a MAC in virtually any modern OS


The reality is that if an end user really knows what they're doing then most conceivable locking mechanisms can be worked around through mechanisms such as library pre-load to intercept operating system and library calls and then changing the results to what they need to be to get past some licensing scheme. Going beyond software, hardware dongles used to secure software such as Cubase were reverse engineered and software emulators released to defeat the hardware protection, showing that hardware systems are not immune either.

However, even on systems where it may be possible, experience shows that end users of PHP scripts typically either won't know how to do so, think about or be interested in doing so, or be able to due to restrictions of the machine (such as being a shared server) or from problems that result. So MAC address oriented locking is definitely still a useful technique, though script providers tend to use domain (server) name locking, and only possible via a 3rd party system as PHP gives no native way to report the MAC address. Any single technique should be combined with other available mechanisms where possible. The ability to store and retrieve key/value information from license files is very powerful, and the route to infinitely extensible and obscure custom licensing schemes that aren't pre-known by end users of scripts if one feels the need to compound and layer licensing mechanisms over and above what is available as standard.
_________________
Community Admin
Back to top
View user's profile Send private message
BSDguru



Joined: 24 Jun 2011
Posts: 9

PostPosted: Mon Jun 27, 2011 9:03 pm    Post subject: Reply with quote

If we were just dealing with old ladies with tennis shoes, then we could just use an obfuscator. The average idiot wouldn't know what to do with source code if they have it.

When I say "anyone who knows what they're doing", I'm not talking about chinese hackers. I mean any system admin working in any ISP or major company in the world. Or anyone who might figure out how to type in "How to change MAC address in OSX". Why don't you type that in and see what you get.

Not everyone is selling $49 scripts. I'm sure that many of your customers are trying to protect thousands of man-hours of investment. And the truth is that anyone who knows how to google can change the MAC on any major OS. Trying to argue otherwise is not helpful to your customers. We're not talking about building dongle emulators here; we're talking about issuing a simple command as root.
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2788

PostPosted: Tue Jun 28, 2011 9:27 am    Post subject: Reply with quote

Quote:
I mean any system admin working in any ISP or major company in the world.


Even if that were true, and I'm not saying that it shouldn't be true but the reality is far from it, most "ISP's or major companies in the world" and managers are not going to take the risk from what could happen when said system admin who was asked to implement measures to achieve software theft is given the axe through downsizing measures or when they don't get the bonus or pay rise that they were expecting. Furthermore, such actions are unlikely to be sanctioned by senior management, and staff given the chop if/when discovered. In contrast, if there aren't licensing mechanisms in place to implement licensing schemes, then use of software on unlicensed systems, perhaps without realising that this is against licensing policy, is certainly quite likely.

Anyway, if you don't feel that a particular mechanism is useful for your particular situation, then don't use it, and take advantage of other features provided for implementing a custom licensing scheme of your own creation. You might even consider writing a PHP module in C for licensing your code. The great thing is that we give a variety of tools as standard plus ways to extend, with the only limitation being one's creativity. Going forward, version 8 is planned to feature some new types of code protection mechanisms, and may also have some new licensing mechanisms options to play with, expanding what is there as standard.
_________________
Community Admin
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   This topic is locked: you cannot edit posts or make replies.    ionCube Forum Index -> ionCube PHP Encoder All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum