Opinions/Discussion on Copy Protection / Software Licensing via phoning home

Question

I'm developing some software that I'm going to eventually sell. I've been thinking about different copy protection mechanisms, both custom and 3rd party. I know that no copy protection is 100% full-proof, but I need to at least try. So I'm looking for some opinions to my approach I'm thinking about:

One method I'm thinking about is just having my software connect to a remote server when it starts up, in order to verify the license based off the MAC address of the ethernet port.

• I'm not sure if the server would be running a MySQL database that retrieves the license information, or what... Is there a more simple way? Maybe some type of encrypted file that is read?
• I would make the software still work if it can't connect to the server. I don't want to lock someone out just because they don't have internet access at that moment in time. In case you are wondering, the software I'm developing is extremely internet/network dependant. So its actually quite unlikely that the user wouldn't have internet access when using it. Actually, its pretty useless without internet/network access.
• Anyone know what I would do about computers that have multiple MAC addresses? A lot of motherboards these days have 2 ethernet ports. And most laptops have 1 ethernet, 1 wifi and Bluetooth MAC addresses. I suppose I could just pick a MAC port and run with it. Not sure if it really matters
• A smarty and tricky user could determine the server that the software is connecting to and perhaps add it to their host file so that it always trys to connect to localhost. How likely do you think this is? And do you think its possible for the software to check if this is being done? I guess parsing of the host file could always work. Look for your server address in there and see if its connecting to localhost or something.
• I've considered dongles, but I'm trying to avoid them just because I know they are a pain to work with. Keeping them updated and possibly requiring the customer to run their own license server is a bit too much for me. I've experienced that and it's a bit of a pain that I wouldn't want to put my customers through. Also I'm trying to avoid that extra overhead cost of using 3rd party dongles.
• Also, I'm leaning toward connecting to a remote server to verify authentication as opposed to just sending the user some sort of license file because what happens when the user buys a new computer? I have to send them a replacement license file that will work with their new computer, but they will still be able to use it on their old computer as well. There is no way for me to 'de-authorize' their old computer without asking them to run some program on it or something.
• Also, one important note, with the software I would make it very clear to the user in the EULA that the software connects to a remote server to verify licensing and that no personal information is sent. I know I don't care much for software that does that kinda stuff without me knowing.

Anyways, just looking for some opinions for people who have maybe gone down this kinda road.

It seems like remote-server-dependent-software would be one of the most effective copy-protection mechanisms, not just because of difficulty of circumventing, but also could be pretty easy to manage the licenses on the developers end.

Answer 1

Remember, if someone wants to pirate your software, they will. Generally, they don't even bother with emulating the license server, they just insert a jmp around all license check code. You can make this more difficult (self modifying code, checks everywhere, code which is not delivered until the license check succeeds, etc), but it becomes a full time job doing license enforcement.

You are trying to stop casual pirates, which is fine. Doing a simple HTTP request to a license server, with the license code and MAC ID in a hash is a legitimate method. Have an easy way to "unregister" computers (its reasonable to move the license amongst machines or to install it on someone's laptop IMO), and don't do a hard lockout once something changes. Decent models are iTunes DRM (5 computers, deauthorization, and a global reset) and Windows (fuzz factor based on how different the computers are).

If the software is not internet accessible or the organization dislikes it, the general practice is to have a license server on customer network which manages the authorization portion. There is established middleware for this already (FlexLM amongst others). Maintaining a license server is a PITA most IT departments balk at, so if you can piggy back on existing infrastructure, the more acceptable your solution becomes.

Answer 2

Commercial licensing tools already do all that you describe and more - or at least, the licensing system we offer does: "phone-home' licensing with a grace period, automatic node-locking between validations (and the MAC address is not a good choice, even if it is widely used, because on many systems this address can be set by the user), secure support for user self-service license relocation, license tracking and reporting and more. Why re-invent the wheel (then figure out how to make it secure, useable etc.)?