Preventing excel application piracy

M

Mangesh Yadav

Hi,

I have an excel application which sends some requests over the internet to
our servers. The user also has to provide a username password for
validation. On the server some processing is done, and the results are sent
back.

I as a user may buy only one excel file and distribute it to my friends and
give them the username password. They will open this excel file on their
machines and use my login details to run the application.

Now the question: How do I, as the developer, stop this piracy. What are the
techniques / tools available. Say something like: The excel sends some
computer info to the server the first time it is opened and on the server
side it is registered for that particular user-id / computer combination.

Is there any such thing available.
 
T

tra

The excel sends some
computer info to the server the first time it is opened and on the
server
side it is registered for that particular user-id / computer
combination.

This sounds like a good idea. It's probably possible to find out, using
code, information about the serial number for windows, or for
particular pieces of hardware. I don't know how to do this, though, but
the information's probably sitting in an MSDN article somewhere.
http://msdn.microsoft.com

Another idea might be for the spreadsheet to, when it's first opened,
generate a random number and store it in the registry. Then, when the
username and password are sent to the server, the random number is sent
with it. The server stores this random number with the username and
password and in future, blocks anyone who attempts to access using a
different random number.

The main idea behind this is that when the spreadsheet is copied to
another user, the registry key containing the random number is not
copied so the pirated version would (since it did not have that
registry key) generate its own new random number, which would be
rejected by the server.

The main problem with this method is that the user could find the
registry key using regedit where the random number is stored and
transfer it himself to his friends. However, the average user would not
know how to do this.
 
M

Mangesh Yadav

Hi TRA,

Thanks very much for your post.

Currently I am planning on the use of MAC address. First time the user logs
in from a particular machine with his user id, the computer sends the MAC
address. This info (combination of user id and mac address) is saved on the
server. The next time the user tries his user id, the server will compare
the mac address of the computer to the one stored on the server.

Mangesh
 
M

Mangesh Yadav

Hi Anne,

1. The user logs from machine A for the first time with his user_id. The
computer sends the mac address of machine A to the server.
2. On the server the combination of the user_id and the mac address of
machine A is stored.
3. Suppose user tries to log on machine B. The mac address of machine B is
sent along with the user id. On the server, this mac address (machine B) is
compared to the one stored for this user_id (which is mac address of machine
A). The server prevents the user from doing the calculations.

I will go though the link you provided. Thanks for the same.


Mangesh
 
A

Anne Troy

Just playing Devil's Advocate, Mangesh.
Where does the user ID come from?
And what happens if customer is on an airplane with no current internet
connection? They can't use your program?
************
Anne Troy
www.OfficeArticles.com
 
H

Harlan Grove

Mangesh Yadav wrote...
I have an excel application which sends some requests over the internet to
our servers. The user also has to provide a username password for
validation. On the server some processing is done, and the results are sent
back.

I as a user may buy only one excel file and distribute it to my friends and
give them the username password. They will open this excel file on their
machines and use my login details to run the application.

Now the question: How do I, as the developer, stop this piracy. What are the
techniques / tools available. Say something like: The excel sends some
computer info to the server the first time it is opened and on the server
side it is registered for that particular user-id / computer combination.

Is there any such thing available.
Click to expand...

There is *NO* effective way to prevent unauthorized use of any XLS or
XLA file if the users have the passwords to open them. If a
sophisticated user can open a file, they can remove all internal
passwords. Once that's done, they can modify any formulas and VBA
modules. If it's a VBA macro that communicating with your server,
nothing prevents the user from commenting out any API call that fetches
machine ID and replacing it with code that returns a cached machine ID.
Nothing prevents user ID or password duplication.

In short, if you distribute intellectual property in the form of XLS or
XLA files, don't expect much revenue from the sales of the files. If
your files operate by connecting to your server, charge by transaction.
If user A who buys your XLS file would have to pay for every
transaction that his friends B, C and D would incur when they use
copies of the file to connect to your server, it's HIGHLY likely user A
won't share copies of the XLS file.

USE HUMAN NATURE TO YOUR ADVANTAGE!!
 
M

Mangesh Yadav

Hi Anne,

You are welcome.

My application is useless without the internet. They have to connect to the
server for calculations. And the user_id (which is given to each user
before-hand) is used to validate the user. My only problem was how to stop
him from distributing the excel application along with his user-name
password. One way is to check that he uses the application from one machine
only (and the MAC address comes into the picture here).

Ofcourse I agree that this is not a fool-proof method as VBA passowrds can
be hacked, but this should prevent the average user from distributing the
files.

Thanks for your responses

Mangesh
 
M

Mangesh Yadav

Hi Harlan,

Thanks for your response.

Yes, I agree that excel does not have a good security, but my main aim is to
prevent the average user distribute the application. The main calculation
though resides on the server to which the user has to connect. The only
issue is to prevent him distribute the file to everyone. But your suggestion
has given me a new idea and I will have to think in that direction and check
out its feasibility. As it is the user can do n number of calculations.

Thanks once again.

Mangesh
 
A

aaron.kempf

excel is crap

put your efforts into a database; maybe you woudln't be stuck with
nothing if you had chosen a database from the getgo
 
P

PowerWheels

Hi, I just found this forum the other night and it looked like alot of
knowledgable people where on board, so here is my question. I have
developed several Excel add-ins and need to setup some kind of
security.

Does anyone have any code they might share on a security checking
system, like that mentioned above. I need to figure this out before
rolling out my apps.

The best solution that I can get setup might just gain that person a
share on any revenue I can generate. Really, I need help here! :)

I would like to initially check the computer during install and
validate a code against a stored code, perhaps in the add-in itself.
After that I am not sure how to protect the file, but I thought someone
here might be able to help.

On an internet validated mac address, would'nt many businesses with
firewalls prevent any type of validation over the net?

Any help will be very much appreciated.

Thanks
Larry
 
Top