I am developing a program for a client. She runs a shop where her
clients bring in items for sale or short term buyback. Development of
the program has been going great but she's mentioned that there is a
'feature' coming up in the next couple of weeks that she'd like me to
implement that has me a bit worried.
My client has told me a story of how she hired someone from a competing
store and that person had brought a copy of the program her competition
was using to track clients and transactions. He couldn't demonstrate
the program for one reason or another because it was protected in a way
that neither could circumvent. (She didn't remember how it was
protected, she had hired this person a long time ago.)
Now that I'm three months into the development of this program, my
client tells me she would like to protect her investment by preventing
her employees from doing the same to her. (Going to the competition
and using her program.)
What my client cannot prevent:
- access to the .exe
What my client is looking to prevent:
- running of the exe by un-authorized individuals.
Ideas I've had to prevent someone from running the app:
- ask for a password every time the program is run. (I wonder how
quickly they will complain about this, not very secure once everyone
eventually finds out what the password is)
- make a little hardware dongle and check to see if it's on the
parallel port. (old idea)
- check for an encrypted flash drive and try to read an encrypted file
from it. (new idea)
- buy the client a Microsoft Fingerprint Keyboard and figure out if it
will make the clients life easier (two minutes of research showed this
idea has multiple problems)
What I want:
- the simplest thing that could possibly work!
I guess my problem isn't really a python problem. This is a scenario
that any developer in any language might face where an executable
should only be run by approved individuals.
c.l.p searches I've tried:
'protecting code' - details how to make python files 'unreadable'
'preventing execution' - best one here details encrypting a root
password
Thanks
21  1803 
"Cigar" <ch************ @hotmail.com> writes: Now that I'm three months into the development of this program, my
client tells me she would like to protect her investment by preventing
her employees from doing the same to her. (Going to the competition
and using her program.)
First thing to know; you can't stop someone who's sufficiently
determined to run the program. The best you can do is raise the cost
of breaking your security to be more than any value that could be
gained from doing so.
What my client cannot prevent:
- access to the .exe
What my client is looking to prevent:
- running of the exe by un-authorized individuals.
Not quite.
Ideas I've had to prevent someone from running the app:
- ask for a password every time the program is run. (I wonder how
quickly they will complain about this, not very secure once everyone
eventually finds out what the password is)
If only authorized people have the password, then this works. The
problem is that her employees are probably authorized, but she doesn't
trust them to not take the program to her competition. Which brings
up an alternative goal:
Prevent running of the exe on unauthorized hardware.
- make a little hardware dongle and check to see if it's on the
parallel port. (old idea)
- check for an encrypted flash drive and try to read an encrypted file
from it. (new idea)
- buy the client a Microsoft Fingerprint Keyboard and figure out if it
will make the clients life easier (two minutes of research showed this
idea has multiple problems)
Note that these three all use the idea of unauthorized hardware, not
people.
You don't need to install special hardware to get that. There are a
number of pieces of hardware that you can find in a modern computer
that may have a unique serial number you can use as a
dongle. Possibilities include a CPU serial number, an HD serial
number, and the MAC address of any network cards: ethernet, wireless,
and apparently FireWire drivers have them. People have used all of
them in the past.
What I want:
- the simplest thing that could possibly work!
Telling her "Don't let your employees near the computer with media, or
when it's connect to a network." That could possibly work, for some
definition of work. You need to define how difficult you want breaking
your security to be. Then we know what "work" means, and can figure
out what "the simplest thing" is.
<mike
--
Mike Meyer <mw*@mired.or g> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
"Cigar" <ch************ @hotmail.com> writes: Now that I'm three months into the development of this program, my
client tells me she would like to protect her investment by preventing
her employees from doing the same to her. (Going to the competition
and using her program.)
Exactly what is the threat here? Misuse of confidential data, or just
the code itself? Does the code do anything that fantastic? Did the
employees sign NDA's? Usually this kind of thing is taken care of by
legal agreements. Occasionally there are disputes that make the news
(Microsoft and Kai-Fu Lee, etc.) but they make the news precisely
because they're rare.
What is the competitor going to do with this code even if they get it?
It's just keeping track of transactions and stuff, right? It's being
tailored to one person's specific preferences and requirements, and
the competitor's needs will be different and they may as well just use
something generic.
Your best bet may be to just explain this to the client, that the most
valuable thing in a business is relationships; technical secrets
aren't nearly as big a deal as some people like to think.
Also, is there an office network? Maybe you could run the program on
a server that most employees wouldn't have access to. They'd use it
through some limited client program or through a web browser.
If you really want to do something with a hardware token, I like this
stuff: <http://basiccard.com>. Assuming you're in the USA, buy from
the Canadian distributor since shipping from Germany is very expensive.
Mike Meyer wrote: You don't need to install special hardware to get that. There are a
number of pieces of hardware that you can find in a modern computer
that may have a unique serial number you can use as a
dongle. Possibilities include a CPU serial number, an HD serial
number, and the MAC address of any network cards: ethernet, wireless,
and apparently FireWire drivers have them. People have used all of
them in the past.
What's more, Tim Golden's wmi module (see http://tgolden.sc.sabren.com/python/wmi.html) makes getting at these
numbers very easy:
import wmi
c = wmi.WMI ()
for thingy in c.Win32_Network Adapter():
print "Network Adaptor", thingy.MACAddre ss
for thingy in c.Win32_Process or():
print "Processor" , thingy.Processo rId
for thingy in c.Win32_BIOS():
print "BIOS", thingy.SerialNu mber
for thingy in c.Win32_BaseBoa rd():
print "BaseBoard" , thingy.SerialNu mber
for thingy in c.Win32_SystemE nclosure():
print "System Enclosure", thingy.SerialNu mber
for thingy in c.Win32_DiskDri ve():
print "Disk Drive", thingy.PNPDevic eID
for thingy in c.Win32_Physica lMedia():
print "Physical Media", thingy.SerialNu mber
Regards, Myles.
> What I want: - the simplest thing that could possibly work!
Have the program check for a file hidden somewhere on the computer.
For instance, if the file dummyfile.dll doesn't exist in the
windows/system32 folder the program just doesn't start. And when you
install the program on her computer just add this file. And if anyone
copies the program the can't run it on any other computer because they
doesn't know the name of the file that's needed to start the program.
How about that?
Mike Meyer wrote: First thing to know; you can't stop someone who's sufficiently
determined to run the program.
I have explained to her that I can't prevent someone who REALLY wants
her program from tossing a rock through her front window and making off
with her PC. They'd get the hardware and the executable along with the
client and transactions data. She conceeded that that would be out of
my scope of being able to protect her program. Ideas I've had to prevent someone from running the app:
- ask for a password every time the program is run. (I wonder how
quickly they will complain about this, not very secure once everyone
eventually finds out what the password is)
If only authorized people have the password, then this works. The
problem is that her employees are probably authorized, but she doesn't
trust them to not take the program to her competition. Which brings
up an alternative goal:
I may have to just put password protection in and if she hangs herself
by 'sharing' the password with underlings she trusts (at the
present)... again that's outside of my control of protecting her. What I want:
- the simplest thing that could possibly work!
Telling her "Don't let your employees near the computer with media, or
when it's connect to a network."
Currently this app is running on a stand alone PC. There was a big
concern about hackers getting at her program or data from over the
internet. I complemented her on this level of security. No floppy
drive either.
"Cigar" <ch************ @hotmail.com> writes: I may have to just put password protection in and if she hangs herself
by 'sharing' the password with underlings she trusts (at the
present)... again that's outside of my control of protecting her.
You could have the password automatically change once a month. Give
her a master list of passwords and tell her to lock it away. Each
month she refers to the list and gives underlings a new password.
Currently this app is running on a stand alone PC. There was a big
concern about hackers getting at her program or data from over the
internet. I complemented her on this level of security. No floppy
drive either.
If the app is not being used too often, install it on a laptop and
lock the laptop in a drawer when not in use.
Paul Rubin wrote: "Cigar" <ch************ @hotmail.com> writes: Now that I'm three months into the development of this program, my
client tells me she would like to protect her investment by preventing
her employees from doing the same to her. (Going to the competition
and using her program.)
Exactly what is the threat here?
I think the BIGGEST threat here is a feeling of vulnerablity. She now
realizes that she is in a position that her competition was many years
ago when she came into possesion of program the 'other side' was using
and that she is now vulnerable. She wants to feel safe in the
knowledge that she didn't reach into her pocket and pay thousands of
dollars for a program that now could now be used by her competition.
Nobody wants to pay money to level the playing field for all in a
business environment.
Misuse of confidential data, or
It's just a collection of names, addresses, phone numbers, birthdays
and drivers licences/health cards. I can think of a few dishonest
things that could be done with this but her competition has the
basically the same clients.
just the code itself?
Does the code do anything that fantastic?
Not by my standards but it is slowly replacing a paper system. (Police
officer shows up and says 'We've just arrested John Smith. Has he sold
you anything in the last 90 days. The client says 'Just a minute' and
reaches for a set of 4" d-ring binders and turns hundreds of pages
looking for a Smith name...) My client is relived that this senario
will soon disappear.
Did the employees sign NDA's? Usually this kind of thing is taken care of by
legal agreements.
Good question! I'm pretty sure not but that's something I could
suggest to her.
What is the competitor going to do with this code even if they get it?
Simplify their lives. See above.
It's just keeping track of transactions and stuff, right?
You are correct sir.
It's being
tailored to one person's specific preferences and requirements, and
the competitor's needs will be different and they may as well just use
something generic.
Not really. The client just wants to track people and what they buy,
sell or put on buyback. Their competitions needs are the same.
Also, is there an office network? Maybe you could run the program on
a server that most employees wouldn't have access to. They'd use it
through some limited client program or through a web browser.
A network exists but the client insists on a standalone PC.
"Cigar" <ch************ @hotmail.com> writes: I think the BIGGEST threat here is a feeling of vulnerablity. She now
realizes that she is in a position that her competition was many years
ago when she came into possesion of program the 'other side' was using
and that she is now vulnerable. She wants to feel safe in the
knowledge that she didn't reach into her pocket and pay thousands of
dollars for a program that now could now be used by her competition.
Nobody wants to pay money to level the playing field for all in a
business environment.
Suppose that competitor's program that her employee had illicitly
brought her wasn't protected, so she was able to run it. You might
ask her whether, ethical issues aside, she would be willing to use it
on a daily basis, given it sounds like people in her industry know
each other enough that word would probably get back to the competitor,
and any resulting lawsuit would leave her up a creek. If she's not
willing to use her competitor's program under those cirumstances,
should she really be afraid of her competitor using hers? Also, if
all she got from the competitor was an .exe, she'd have no way to
customize it, and vice versa.
It's just a collection of names, addresses, phone numbers, birthdays
and drivers licences/health cards. I can think of a few dishonest
things that could be done with this but her competition has the
basically the same clients.
Well, that sounds pretty confidential to me, but I'll take your word
for it that the competitors are more interested in the code than the
data. I do think she's overestimating the threat.
Not by my standards but it is slowly replacing a paper system. (Police
officer shows up and says 'We've just arrested John Smith. Has he sold
you anything in the last 90 days. The client says 'Just a minute' and
reaches for a set of 4" d-ring binders and turns hundreds of pages
looking for a Smith name...) My client is relived that this senario
will soon disappear.
Is there something there that you can't do with a few spreadsheet macros? What is the competitor going to do with this code even if they get it?
Simplify their lives. See above.
Lawsuits don't simplify anyone's life ;-). Also, is there an office network? Maybe you could run the program on
a server that most employees wouldn't have access to. They'd use it
through some limited client program or through a web browser.
A network exists but the client insists on a standalone PC.
How about two PC's connected by a piece of ethernet cable, but no
outside network connection. The server is a laptop or palmtop locked
in a desk drawer. A little hole is drilled in the back of the drawer
for the power and network cables. The network cable is connected to a
PC on top of the desk that the employees actually use, running a web
browser or the like.
On Tuesday 04 October 2005 01:43, Svennglenn wrote: Have the program check for a file hidden somewhere on the computer.
For instance, if the file dummyfile.dll doesn't exist in the
windows/system32 folder the program just doesn't start. And when you
install the program on her computer just add this file. And if anyone
copies the program the can't run it on any other computer because
they doesn't know the name of the file that's needed to start the
program.
How about that?
But wouldn't the file name need to be stored in the program somewhere?
as a string which can be discovered using relatively trivial processes?
That makes any protection difficult.
Being totally not a cryptographic expert... the solution I'd see would
be an installer that encrypts the Python package (zip file?) with some
hardware-specific key, and then decrypts it before running it (runner
would need to be in C or something). Or maybe just embeds in itself a
crypographic signature using a hardware key that is verified before the
program can run.
-Michael This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Jay Haslup |
last post by:
I am trying to figure out how to get the CMD (dos) window to come up when I
call a executable. I have this working on a Win2000/apache machine and am
trying to use the same code on a identical machine.
Here is how I start the executable. It is initiated from the browser on the
machine itself:
pclose(popen("start " . $exe . $params, "r"));
What normally happens is a cmd window pops up showing the executable's
output to screen. My...
|
by: Filipe Martins |
last post by:
Hello.
I've read somewhere that the executable is smaller if we use a source file
for each function!
So, I tested this with gcc and it seams to confirm! What seams to happen is
that if we call a function from a source-files that defines 3 others, the
linkers includes the code of all the 4 functions, even if the on we call
doesn't rely on the others!
What do you people think about this?
|
by: yadavindrian01 |
last post by:
Hi everybody
I am a student of computer engg. I have to make a project -
controlling devices through computer using parallel port. I know
necessary details of the parallel port.
Please guide me. also tell me if can i use VB as front end and C++ as
the coding language and how.
Regards
|
by: Johnny |
last post by:
How do I create a link on a Web page on my hard drive that will run an
executable file on my hard drive?
For example, let's say I create runpoodle.htm and save it to my hard
drive, and let's also say I have an executable file on the root of C
named c:\poodle.exe.
How can I create a link of some sort on runpoodle.htm that will run
poodle.exe on c:\ ?
|
by: Andrey Mosienko |
last post by:
We are using PostgreSQL about two years beginning from version 7.0.
I have one question about starting postmaster:
Is there way to detach it from the controlling terminal under FreeBSD?
My situation: I start postmaster manually:
su pgsql -c "/usr/local/pgsql/bin/pg_ctl
-D /usr/local/pgsql/data -l /usr/local/pgsql/log/pgsql.log start"
Log:
| | |
by: suresh_C# |
last post by:
Dear All,
What is difference between Portable Executable (PE) file and a Assembly?
Thanks,
Mahesh
|
by: GaryDean |
last post by:
We have been noticing that questions on vs.2005/2.0 don't appear to get much
in answers so I'm reposting some questions posted by some of the programmers
here in our organization that never got answered...
In 1.1 we always did our own myDataAdapter.fills and we liked that control
for lots of good reasons. Now the new DataSource (or is it a
TableAdapter:Dataset) automatically fills the Gridview. How can we control
that fill?
In a...
|
by: Mo |
last post by:
Hi,
Is there a way to include an executable (xxx.exe) file inside a c#
console project so that the resulting project binary have only one
final executable file? My c# console application is calling another
Executable (exe) which I am trying to include in my project so I can
only have one file for the executable. Any ideas?
Mo
|
by: Erwin Moller |
last post by:
Why is a binary file executable? Is any binary file executable? Is
only binary file executable? Are all executable files binary? What is
the connection between the attribute of binary and that of executable?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
