VMWare Image Protection

Question

VMWare Image Protection

We have an application that is packaged as a Linux VMWare image. Now we need to find a way to protect it from illegal duplication and installation. We studied several solutions based on USB devices, but all of them require modification of the application at the source code level (simple hardware is limited by Windows EXE). Is there a way to protect VMWare image from starting and run periodic checks?

EDIT : This application is part of a professional solution and is not distributed as is. VMWare packaging is for virtualization, not distribution. We sell complete solutions for telecommunications companies, including hardware and support, in the price ranges of $ 10k-1M. However, since customers have access to the platforms, we need to make sure that they simply cannot accept images and run them elsewhere or win the licensing policy. Therefore, the remarks below, which cast doubt on the need for protection, although absolutely correct in the general case, are not applied there.

+4

vmware piracy-protection

fbonnet Jun 23 '09 at 13:16

source share

6 answers

Colin pickard · Answer 1 · 2009-06-23T13:22:10+0000

I know this is said every time , but it’s worth repeating:

Please just don’t. Sell your software for a price that represents its value, with a basic key scheme, if you have to keep honest people honest and leave it at that. The pirates will always steal it, and the hardware key will simply cause grief for your honest customers.
In addition, any circuit you create will simply be defeated by reverse engineering; if you hurt to use your software, you will motivate otherwise honest people to defeat it or look for cracks on the Internet. Just make the defense less painful than finding a crack.
Software Monkey , January 2009

Aiden bell · Answer 2 · 2009-06-23T13:19:04+0000

Encrypt the disk partitions using Cryptsetup / dm_crypt, and then use some specific for a specific computer (real CPU-ID?) Element to decrypt at boot. But this means that for each client you need to create a new image ... but you could have a script.

Although after downloading it, they can tear the image in any case. You are not required from the GPL to redistribute anyway?

it will be hard

Colin pickard · Answer 3 · 2009-06-23T13:26:52+0000

Also, to further expand on what Aiden said: you should get legal advice on whether you can do this without violating any of the several licenses that may be present in the Linux distribution that you use, or b) the attached licenses to use VMWare.

Basically, what you are trying to do is called Tivoization , and if any of the packages you use fall under the GPL v3, you can break it.

Colin pickard · Answer 4 · 2009-06-23T13:59:43+0000

Considering the size of your customers and the volume of services you offer, it seems to make no sense to make them jump in hoops. If they violate their contract, simply discuss it, and if you cannot reach a suitable compromise, sue them.

If the keys were a silver bullet, don't you think Microsoft or Oracle will require them?

For a software product with a very small number of large customers, support and further development are usually crucial for customers and make up the bulk of the value and cost of your solution. Licensing is just a small addition.

Honestly, if your product is so simple that they do not require constant development and support, you are unlikely to be able to charge a lot of money for licensing in any case - they just find the monkey code to duplicate it and save the changes.

Wim ten brink · Answer 5 · 2009-06-23T15:07:47+0000

About USB dongles, every USB dongle that is commercially available has been hacked and has a working environment. No matter what they tell you, the principle of USB keys is spoiled by design.

To make matters worse, once you deliver your software product to a client, it will be hacked if they find the application valuable enough to spend time hacking it. It doesn't matter how much it is protected, if a hacker has access to binary content, he will be hacked.

In addition, many of your users will be honest people who will be annoyed by all of these security features. If you decide that the solution is very strong, you are actually inviting people not to use your software for the right, legitimate purposes.

As noted earlier, keep in mind that you must comply with Linux licenses. In fact, you may be forced to provide the source code for your application as an open source if you cannot prove that you have worked under the license.

However, there is a reasonable simple way to do periodic checks. Use CRON to launch the application for calls at least once a day. He will call the web service on your web host, providing additional information about this setting. As a response, your service reports that it is still legal or not. If this is legal, no problem. If this check fails, just report it to the community. If call-home has failed five times in a row or informs it of an illegal version, then this time annoys the user. (But without breaking the usability of your application, otherwise users will become really unhappy.) Now the material you want to protect can continue to work without any changes. Or you change them to check if the call-home application tried to try to contact. If the user has disabled this process or interfered with it in any other way, you can also block your applications.

Or, to use the simplest option: create a special administrator account with almost full access rights. Do not let your customers work like Root.

Brainscan · Answer 6 · 2009-09-15T14:25:45+0000

Have you tried VMWare ACE?

http://www.vmware.com/products/ace/features.html

It seems that you have decided your needs.

VMWare Image Protection

More articles: