Fog Creek Software
Discussion Board




Sending a licence file for a shareware application


Usually after you've registered a shareware you're issued a serial no. by e-mail.

As I want to store the customer address
in the application (maybe the "About" form) I may want
to send a licence file which include the serial No.
and the customer address.

Do you think it's ok to do so ?

Is it considered as a bad practice ?
(Yeah! This is the 1st time I releasing a shareware to the world!) ;-)

Best Regards,
Snacky

Snacky
Wednesday, April 14, 2004

Irrespective of being OK - it's unnecessary.

The app has a local file containing the customer data - it loads this file at startup and puts it in the about box.

When they register they send you the contents of this file.

The licence key includes a hash of this file contents, if the address file is missing or changed the licece is invalid and the app doesn't start.

Martin Beckett
Thursday, April 15, 2004

> The licence key includes a hash of this file contents, if the
> address file is missing or changed the licece is invalid and
> the app doesn't start.

Unless, of course, someone goes into the EXE and hacks out the part that looks for the license file to start...

Unless you deal with detecting and disabling debuggers, tracers and other tools available to the fellow crackers, you won't win this war!  You may never win this war.  :)

grunt
Thursday, April 15, 2004

In general you should pay customer's private information with the respect the bank (the good ones anyway) would.

Make it explicit that no private information will ever be requested from your client using email or snail mail or any other electronic means.

Users will receive (in print) a license certificate.


Having the license certificate and the license number is all they need to click on a link on your emails to get to a SSL signed and ecnrypted site where they can log in using the serial number to update their profile.

http://preference.crm.vendor.com/editprofile/login.aspx

The form should go:

Please enter your serial number: [                            ]

<Click button to register>


Once a profile has been created, you can create a clickable link that automatically allows users to edit not so private informations (like email address, first name and last name and preferences, but not phone number and addresses) by attaching a AES symmetrically encrypted email address to the URL query string.

For example:

http://preference.crm.vendor.com/editprofile/login.aspx?u=adsf82390hioofda25234sdfa80afs80235

In this sort of flow: 1) it prevents the vendor from ever having to reveal private information.

2) it prevents customers from having to provide any more than first name last name serial number and non-personal CRM preferences in normal email transactions.

For anything else, you'll have to designate a password that can only be reset using a phone call.

-- D

Li-fan Chen
Thursday, April 15, 2004

If you want to talk about the anti-piracy wars there are plenty of old threads that hacked this topic to death, search them out...

Li-fan Chen
Thursday, April 15, 2004

*  Recent Topics

*  Fog Creek Home