Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 55
  1. #26
    Join Date
    Oct 2004
    Posts
    44
    Greetings,
    in my opinion its insecure as described by pixd.. a user can run tcpdump, and he will see that a running script:
    1. tries to resolve example.com
    2. then it queries for a file called montana.txt and gets some text from it
    3. he puts in /etc/hosts example.com 127.0.0.1 and creates montana.txt on his own server
    4. he doesn't pay for a script

    how to prevent this? encrypt all the traffic that goes from your host, for example using openssl in php.

  2. #27
    Originally posted by insanex
    4. he doesn't pay for a script
    how to prevent this? encrypt all the traffic that goes from your host, for example using openssl in php.
    If the user goes to all this trouble, he can as well strace and gdb the execution, look for the encryption calls, replace them with his own functions and nab the keys.

    All this, however, will take more time and energy than recoding a component yourself.

  3. #28
    For Java, check out RetroGuard from RetroLogic: http://www.retrologic.com/retroguard-main.html

  4. #29
    I would recommend www.phpaudit.com for licensing.

  5. #30
    Join Date
    Aug 2004
    Posts
    359
    Originally posted by zinet
    The only problem with this is that Joe can just set the dns entry for example.com to his server. When the script looks up example.com it will go to his server.
    Then use an IP number instead.

  6. #31
    nice tips thanks alot

  7. #32

    Exclamation Vulnerabilities

    The only problem with this is that Joe can just set the dns entry for example.com to his server. When the script looks up example.com it will go to his server.
    Someone suggested using an IP address instead. Would this fix this bug?



    I've found another problem. As you say, if the server is down it does still work, but it comes up with the error...

    Warning: file(http://www.my-site.com/licence.txt): failed to open stream: HTTP request failed! HTTP/1.1 404

    So, if your server happens to go down, the person will realise which file the script is looking for anyway. Is there a way to get rid of this error message if the file cannot be found?

    Would it be something along the lines of...

    if(!$connection){
    echo'';
    } else {
    * REST OF SCRIPT HERE *
    }

    That's just a total guess!
    Daniel Mercer,
    danielmercer[@]gmail[.]com

  8. #33
    Join Date
    Jul 2004
    Location
    Indiana, USA
    Posts
    154
    Daniel, the solution to that is a rather simple one. Just put this above the code that checks for the license:

    Code:
    error_reporting(0);
    From here.
    Dave Scott
    President/CEO
    The Sonic Group, LLC
    Core Team Member - International Web Developers Network

  9. #34
    Very nice, thank you

  10. #35
    Join Date
    Dec 2004
    Location
    Canada
    Posts
    1,097
    Right, and now he can no longer maintain the code that he paid for. I think encoding the code in contracted projects is unethical and if I were hiring developers I would refuse to pay for such obfuscation. What if you die and he needs to modify the software? What if he just wants someone else to do it for him, or wants to do it himself? What if you're an *******?

    I'm paying you to write code. I'm not paying you to put backdoors into my system and give me a product that I can't fix. It really doesn't matter to you at all what I want to do with it afterwards, you have no right to restrict that.
    Last edited by error404; 01-22-2005 at 03:52 PM.

  11. #36
    What about rentacoder.com?

    Is there something wrong with their service?

  12. #37
    I would let anyone working for me to encode their scripts. I pay them to give me source code, not play game with me.

    Think it from a stand point of buyer. I pay for the work and get encoded stuff and at any time seller can disable it.

    My business suggestion is work in a trusted marketplace with dispute resolution service. And pay based on % of work completed. Then there will not be $2,000 for everything one time deal.

  13. #38
    Join Date
    Oct 2004
    Location
    Moji
    Posts
    2,107
    pixd's way is really good to protect yourself being scammed.
    However from a customers point, after I paid 100% I don't want programmer still have the control to stop the script anytime s/he wants.
    Best solution for me is a well planned contract:

    1. Project will be made for xxx$
    2. After job is done, it will be encoded and sent to the customer.
    3. Customer tests the product, confirms that it is working.
    4. Customer pays the price, programmer sends the raw code.
    5. If customers doesn't pay, pixd's solution will be used...
    DigiPun.ch
    An Awesome Digital Punch Clock
    Release date: October 1st

  14. #39
    Join Date
    Oct 2002
    Location
    York, United Kingdom
    Posts
    279
    Yes but the protection is incase you dont pay! Its happened to me before but luckly i used the code snippet and made sure if they wernt going to pay me they wouldnt use it

  15. #40
    Join Date
    Oct 2003
    Location
    Scotland, UK
    Posts
    2,916
    Originally posted by BurakUeda
    pixd's way is really good to protect yourself being scammed.
    However from a customers point, after I paid 100% I don't want programmer still have the control to stop the script anytime s/he wants.
    Best solution for me is a well planned contract:

    1. Project will be made for xxx$
    2. After job is done, it will be encoded and sent to the customer.
    3. Customer tests the product, confirms that it is working.
    4. Customer pays the price, programmer sends the raw code.
    5. If customers doesn't pay, pixd's solution will be used...
    There's also the problem of the customer paying, and then doing a chargeback/reversal at their credit card processor once they have the source code. Embedding some sort of licensing/call back option into a script is always a good idea - you can never be 100% sure who you are dealing with.
    Alasdair
    Long time ex-host, ex-billing software owner/developer/support staff. Recent lurker.

  16. #41
    Join Date
    Jun 2002
    Location
    Hat Yai, Thailand
    Posts
    121
    My suggestion is to use SourceCop. You can limit the script to run under a specific IP and you can set the expiry date.

    You set the expiry date to one year and encode the script (just ONE main file). After one year, I guess it is unlikely that your customer will carry out a transaction reverse. Before the expiry date, re-send him the encoded script - but this time, with the exipiry date removed. He he he . . . .
    Janwawa Group Tour Management
    - http://janwawa.com

  17. #42
    Join Date
    Jul 2005
    Location
    Southampton, England
    Posts
    7
    Excellent idea IMO pixd. Can never tell if someone is gonna rip work from you, so this gives you peace of mind when sending them the code.

    Thanks

    lemonadeX

  18. #43
    Join Date
    Feb 2005
    Location
    Delaware
    Posts
    587
    Very Cool. Thanks for the tip.

  19. #44
    Join Date
    Nov 2005
    Posts
    282
    I'm not going to publish any possible ways (and I encourage none of you to either)
    Not that I mean to but it doesnt take much to realize the file has to be accessed remotely to determine if you have a valid license.
    So its very easy to break if the server operator disables allow_url_fopen ini directive.

    You can add the following code in your script to prevent such tampering.
    PHP Code:
    if( !( ini_get(allow_url_fopen) ) ) exit('Configuration Error: allow_url_fopen must be turned on for this script to work'); 
    allow_url_fopen can only be set manually and ini_set cannot turn it on.

    for those worried about error messages, just drop the @ character before the functions in the script

    so @fopen instead of fopen.
    Last edited by Korvan; 12-16-2005 at 05:59 PM.

  20. #45
    Wow I love your idea Very well written.

  21. #46
    IMO, the general idea of this thread has a purpose. There are people out there that do take code and chop it up and resell it or just take your software and charge back as he suggested before. It is real and it happends on a daily basis.

    The reason I see that it is good is for one, and person or company writes software and lease's the software on a monthly basis. (ie. ModernBill) They require a monthly fee and issue license according too your contract. So if you do not pay they can shut down your script. This level of protection is needed by developers who are choosing to lease a script as such.

    Therefore I see good reason too have such protection.

    Now coming up with a solution that is secure enough to thwart all efforts of compromise.

  22. #47
    Join Date
    Jan 2005
    Location
    Toledo, OH
    Posts
    143
    point it to an IP so that a DNS change cannot over-ride what server its hitting

  23. #48
    Join Date
    Jan 2005
    Location
    Toledo, OH
    Posts
    143
    You could also make it database driven instead of pulling up a text file pull up something like license.php?projectID=5551 that way you don't have a billion text files for all of the projects that you have

  24. #49
    Join Date
    Oct 2003
    Location
    Scotland, UK
    Posts
    2,916
    The most recent versions of the ionCube encoder and SourceGuardian (retailing from $259/$250) include a licensing section where you can encode the files and then generate a seperate licensing file (enter a specific domain/ip where the files can run) or encode the files with the details included. Expiry dates can also be built in, so if you agree to give them source after 6 months, you simply include an expiry of 7 months to allow for some give time (or even issue 6 one-month licenses for more control and then hand the source code over). You've stopped them selling your script, stopped them using it past a certain date if they chargeback and also removed the need to maintain any sort of licensing server.

    It won't give you as much control, but, it avoids thinking about things like "what happens if they change DNS", "what if they firewall my server out", "what happens if my server goes down", "what happens if I need to change my IP" etc... Peace of mind for them and you You could also purchase a specialised licensing package which should take care of issues like that for you.
    Alasdair
    Long time ex-host, ex-billing software owner/developer/support staff. Recent lurker.

  25. #50
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    The best way to handle licenses isn't via text files, but via mysql databases. This way you can control what ip's the licenses are used from, and all of that, pretty easily. It's really not that hard to do.

    Secondly, and much more importantly!
    If you're going to use ioncube as a protection agent, remember NOT everyone likes the way ion attempts to control your php loaders, and most will refuse to run ion scripts. Provide a Zend alternative, which will help out everyone in general.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •