views:

61

answers:

1

I have node-locked licensing working, using the MAC address and system time. We're concerned that people will just edit their system date to extend a license, so I've tried getting the real date from an machine in the NTP pool. That works, but then obviously you can't use the product without being online, and it doesn't seem to be 100% reliable (I'm guessing the UDP packet never arrives/returns in some cases).

What's the standard approach here? Live with the changeable OS date? Run something on a web server that provides the time over TCP? I hear the BIOS date gets updated by the OS when you reboot, so perhaps there isn't any way to know for sure what the current date is without using the internet?

I know that licensing can never be completely secure, and I expect it to be cracked or torrented, but I don't want it to be as easy as changing the system date. Any ideas appreciated. Thanks

A: 

Using a hard disk drive serial number in addition to the date would be more difficult to bypass. You can also have it limited to the user login name. Other than having a hardware dongle, software licensing can always be circumvented.

Update: If that's the case, can't you just monitor the time? Create an algorithm that validates the system clock follows a logical progression (always increasing.) If the date ever suddenly get shifted back more than a specified amount of time (you have to account for some drift and internet time server corrections), you disable the program until the user restores the clock?

Jeff Lamb
I don't think the disk serial number is available on Linux unless I'm root, can't remember. Less worried about tying it to a specific machine or user than I am about the indefinite extension of licenses.
mr grumpy
I'd have to store that last-system-time in a file somewhere, which they could erase. I guess I could check the filesystem for the most recently modified file (any file) and check if that's in the future with regard to the system time. Hmmm.
mr grumpy
Couldn't you store it in a critical program file? If they delete that file, they screw up the program as well. You could obfuscate the system time using some algorithm so it's not easily readable, then CRC check it to make sure it hasn't been mucked with.
Jeff Lamb