NYCPHP Meetup

NYPHP.org

[nycphp-talk] RE: talk Digest, Vol 12, Issue 26

Rafi Sheikh Rafi.Sheikh at Ingenix.com
Thu May 20 15:28:57 EDT 2004


Thank you.  I used array_values and worked like a dream.  Thx again!

-----Original Message-----
From: talk-request at lists.nyphp.org [mailto:talk-request at lists.nyphp.org]
Sent: Thursday, May 20, 2004 1:10 PM
To: talk at lists.nyphp.org
Subject: talk Digest, Vol 12, Issue 26


Send talk mailing list submissions to
	talk at lists.nyphp.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.nyphp.org/mailman/listinfo/talk
or, via email, send a message with subject or body 'help' to
	talk-request at lists.nyphp.org

You can reach the person managing the list at
	talk-owner at lists.nyphp.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of talk digest..."


Today's Topics:

   1. PHP License Management (Dan Cech)
   2. Re: PHP License Management (David Sklar)
   3. Re: PHP License Management (John Lacey)
   4. Re: PHP License Management (Dan Cech)
   5. RE: PHP License Management (Daniel Kushner)
   6. Change key values in array (Rafi Sheikh)
   7. Re: Change key values in array (Phillip Powell)
   8. RE: Change key values in array (Daniel Kushner)
   9. Re: PHP License Management (inforequest)


----------------------------------------------------------------------

Message: 1
Date: Thu, 20 May 2004 13:06:14 -0400
From: Dan Cech <dcech at phpwerx.net>
Subject: [nycphp-talk] PHP License Management
To: NYPHP Talk <talk at lists.nyphp.org>
Message-ID: <40ACE586.2030408 at phpwerx.net>
Content-Type: text/plain; charset=us-ascii; format=flowed

Hi all,

I've been asked to come up with a licensing solutions for a 
closed-source php application, and wondered if anyone had any advice.

The application will be licensed either in perpetuity or on a 
subscription basis, and each license will be tied to a particular server 
to make unauthorised distribution more difficult.

The idea I came up with was to create a server app where the user could 
log in and view/purchase/extend licenses and manage the IP address(es) 
each license is tied to.

The 'license' itself would be an encrypted token containing the client 
id, expiry date, ip address(es) etc signed with a private key.

The actual software would then be encoded to protect the source from 
(casual) prying eyes (I was thinking of using the Turck MMCache encoder 
for this) and include code to check the license validity and take 
appropriate action.

The most obvious (to me) attack on the system is to reverse-engineer the 
code and remove the license check, which could be mitigated somewhat be 
encoding the entire app and 'hiding' the check within the code.

It seems to me like a viable solution, but I'm no security expert and 
would appreciate any and all comments or pointers to existing solutions.

Dan



------------------------------

Message: 2
Date: Thu, 20 May 2004 13:09:31 -0400
From: David Sklar <sklar at sklar.com>
Subject: Re: [nycphp-talk] PHP License Management
To: NYPHP Talk <talk at lists.nyphp.org>
Message-ID: <40ACE64B.4030806 at sklar.com>
Content-Type: text/plain; charset=us-ascii; format=flowed

> The actual software would then be encoded to protect the source from 
> (casual) prying eyes (I was thinking of using the Turck MMCache encoder 
> for this) and include code to check the license validity and take 
> appropriate action.
> 
> The most obvious (to me) attack on the system is to reverse-engineer the 
> code and remove the license check, which could be mitigated somewhat be 
> encoding the entire app and 'hiding' the check within the code.

There's no perfect solution here, you just want to be sufficiently ahead 
of likely attackers in the arms race. One thing that might help (but 
will cost you more $) is to use a closed-source encoder like Zend 
Encoder or the ionCube Encoder. Reversing the encoded code is much 
easier when you have the source code to the encoder.

The ionCube encoder offers some protections similar to your licensing 
scheme (but users can't change things), so that might be helpful, too.

David



------------------------------

Message: 3
Date: Thu, 20 May 2004 11:10:15 -0600
From: John Lacey <jlacey at att.net>
Subject: Re: [nycphp-talk] PHP License Management
To: NYPHP Talk <talk at lists.nyphp.org>
Message-ID: <40ACE677.2010201 at att.net>
Content-Type: text/plain; charset=us-ascii; format=flowed



Dan Cech wrote:
> Hi all,
> 
> I've been asked to come up with a licensing solutions for a 
> closed-source php application, and wondered if anyone had any advice.
> 
> The application will be licensed either in perpetuity or on a 
> subscription basis, and each license will be tied to a particular server 
> to make unauthorised distribution more difficult.
> 
> The idea I came up with was to create a server app where the user could 
> log in and view/purchase/extend licenses and manage the IP address(es) 
> each license is tied to.

I'd look for a way other than IP addys since they're a moving 
target, especially if the customer is running a NATed network.

> 
> The 'license' itself would be an encrypted token containing the client 
> id, expiry date, ip address(es) etc signed with a private key.
> 
> The actual software would then be encoded to protect the source from 
> (casual) prying eyes (I was thinking of using the Turck MMCache encoder 
> for this) and include code to check the license validity and take 
> appropriate action.
> 
> The most obvious (to me) attack on the system is to reverse-engineer the 
> code and remove the license check, which could be mitigated somewhat be 
> encoding the entire app and 'hiding' the check within the code.
> 
> It seems to me like a viable solution, but I'm no security expert and 
> would appreciate any and all comments or pointers to existing solutions.
> 
> Dan
> 
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
> 



------------------------------

Message: 4
Date: Thu, 20 May 2004 13:18:01 -0400
From: Dan Cech <dcech at phpwerx.net>
Subject: Re: [nycphp-talk] PHP License Management
To: NYPHP Talk <talk at lists.nyphp.org>
Message-ID: <40ACE849.605 at phpwerx.net>
Content-Type: text/plain; charset=us-ascii; format=flowed

David Sklar wrote:

>> The actual software would then be encoded to protect the source from 
>> (casual) prying eyes (I was thinking of using the Turck MMCache 
>> encoder for this) and include code to check the license validity and 
>> take appropriate action.
>>
>> The most obvious (to me) attack on the system is to reverse-engineer 
>> the code and remove the license check, which could be mitigated 
>> somewhat be encoding the entire app and 'hiding' the check within the 
>> code.
> 
> There's no perfect solution here, you just want to be sufficiently ahead 
> of likely attackers in the arms race. One thing that might help (but 
> will cost you more $) is to use a closed-source encoder like Zend 
> Encoder or the ionCube Encoder. Reversing the encoded code is much 
> easier when you have the source code to the encoder.
> 
> The ionCube encoder offers some protections similar to your licensing 
> scheme (but users can't change things), so that might be helpful, too.

You are right, the closed source nature of ionCube may make it more 
resistant to reverse engineering...in fact I think the company may 
already have a license for it...

ionCube seems to be a lot cheaper than the Zend solutions...and they 
claim it's faster too.

Dan



------------------------------

Message: 5
Date: Thu, 20 May 2004 13:16:25 -0400
From: "Daniel Kushner" <nyphp at websapp.com>
Subject: RE: [nycphp-talk] PHP License Management
To: "'NYPHP Talk'" <talk at lists.nyphp.org>
Message-ID: <200405201716.i4KHGR2P001460 at ns5.oddcast.com>
Content-Type: text/plain;	charset="us-ascii"

Warning: I work for Zend Technologies !


The Zend SafeGuard Suite includes the Encoder and licensing software
all-in-one.

http://www.zend.com/store/products/zend-safeguard-suite.php

Zend enjoys giving New York PHP discounts. You can contact me off list if
you're interested ;)

Best,
Daniel Kushner


> -----Original Message-----
> From: talk-bounces at lists.nyphp.org 
> [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Dan Cech
> Sent: Thursday, May 20, 2004 13:06
> To: NYPHP Talk
> Subject: [nycphp-talk] PHP License Management
> 
> Hi all,
> 
> I've been asked to come up with a licensing solutions for a 
> closed-source php application, and wondered if anyone had any advice.
> 
> The application will be licensed either in perpetuity or on a 
> subscription basis, and each license will be tied to a 
> particular server to make unauthorised distribution more difficult.
> 
> The idea I came up with was to create a server app where the 
> user could log in and view/purchase/extend licenses and 
> manage the IP address(es) each license is tied to.
> 
> The 'license' itself would be an encrypted token containing 
> the client id, expiry date, ip address(es) etc signed with a 
> private key.
> 
> The actual software would then be encoded to protect the source from
> (casual) prying eyes (I was thinking of using the Turck 
> MMCache encoder for this) and include code to check the 
> license validity and take appropriate action.
> 
> The most obvious (to me) attack on the system is to 
> reverse-engineer the code and remove the license check, which 
> could be mitigated somewhat be encoding the entire app and 
> 'hiding' the check within the code.
> 
> It seems to me like a viable solution, but I'm no security 
> expert and would appreciate any and all comments or pointers 
> to existing solutions.
> 
> Dan
> 
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> 
> 




------------------------------

Message: 6
Date: Thu, 20 May 2004 12:31:02 -0500
From: Rafi Sheikh <Rafi.Sheikh at Ingenix.com>
Subject: [nycphp-talk] Change key values in array
To: "'talk at lists.nyphp.org'" <talk at lists.nyphp.org>
Message-ID:
	<C92A8F8B60F96B42911EFA70AF30A88F060A4777 at msp7-msx1.ingenix.com>
Content-Type: text/plain;	charset="iso-8859-1"

Hi folks.  Is it possible to change the key value type in an array?  I have
an array that has string key values, for my purposes I need it to have int
index

NOW LOOKS LIKE:
array(6) { ["04-01"]=> int(0) ["04-02"]=> string(2) "32" ["04-03"]=> int(0)
["04-04"]=> int(0) ["04-05"]=> int(0) ["04-06"]=> int(0) }

I NEED IT TO LOOK LIKE:
array(6) { [0]=> int(0) [1]=> string(2) "32" [2]=> int(0) [3]=> int(0) [4]=>
int(0) [5]=> int(0) }

REASON:
I am getting date value from a DB, and than doing an array_merge with
another template to ensure that any missing month for a category get a zero
in the correct sequence.  Problem is that, the resulting array needs to have
int index for the graphing utility to work.

TIA


This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity to
which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified that
any dissemination, distribution or copying of this e-mail is prohibited. If
you have received this e-mail in error, please notify the sender by replying
to this message and delete this e-mail immediately.


------------------------------

Message: 7
Date: Thu, 20 May 2004 13:39:28 -0400
From: Phillip Powell <phillip.powell at adnet-sys.com>
Subject: Re: [nycphp-talk] Change key values in array
To: NYPHP Talk <talk at lists.nyphp.org>
Message-ID: <40ACED50.5080108 at adnet-sys.com>
Content-Type: text/plain; charset=us-ascii; format=flowed

Rafi Sheikh wrote:

>Hi folks.  Is it possible to change the key value type in an array?  I have
>an array that has string key values, for my purposes I need it to have int
>index
>
>NOW LOOKS LIKE:
>array(6) { ["04-01"]=> int(0) ["04-02"]=> string(2) "32" ["04-03"]=> int(0)
>["04-04"]=> int(0) ["04-05"]=> int(0) ["04-06"]=> int(0) }
>
>I NEED IT TO LOOK LIKE:
>array(6) { [0]=> int(0) [1]=> string(2) "32" [2]=> int(0) [3]=> int(0)
[4]=>
>int(0) [5]=> int(0) }
>
>  
>

 From first glance I would say just use array_values(), that creates the 
enumerative array you want from the original array with the values in 
the same order.

Phil

>REASON:
>I am getting date value from a DB, and than doing an array_merge with
>another template to ensure that any missing month for a category get a zero
>in the correct sequence.  Problem is that, the resulting array needs to
have
>int index for the graphing utility to work.
>
>TIA
>
>
>This e-mail, including attachments, may include confidential and/or
>proprietary information, and may be used only by the person or entity to
>which it is addressed. If the reader of this e-mail is not the intended
>recipient or his or her authorized agent, the reader is hereby notified
that
>any dissemination, distribution or copying of this e-mail is prohibited. If
>you have received this e-mail in error, please notify the sender by
replying
>to this message and delete this e-mail immediately.
>_______________________________________________
>talk mailing list
>talk at lists.nyphp.org
>http://lists.nyphp.org/mailman/listinfo/talk
>
>  
>


-- 
----------------------------------------------------------------------------
-----
Phil Powell
Multimedia Programmer
BPX Technologies, Inc.
#: (703) 709-7218 x107 
Fax: (703) 709-7219

	



------------------------------

Message: 8
Date: Thu, 20 May 2004 13:36:06 -0400
From: "Daniel Kushner" <nyphp at websapp.com>
Subject: RE: [nycphp-talk] Change key values in array
To: "'NYPHP Talk'" <talk at lists.nyphp.org>
Message-ID: <200405201736.i4KHa9wH007583 at ns5.oddcast.com>
Content-Type: text/plain;	charset="us-ascii"

array_values()

-Daniel


> -----Original Message-----
> From: talk-bounces at lists.nyphp.org 
> [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Rafi Sheikh
> Sent: Thursday, May 20, 2004 13:31
> To: 'talk at lists.nyphp.org'
> Subject: [nycphp-talk] Change key values in array
> 
> Hi folks.  Is it possible to change the key value type in an 
> array?  I have an array that has string key values, for my 
> purposes I need it to have int index
> 
> NOW LOOKS LIKE:
> array(6) { ["04-01"]=> int(0) ["04-02"]=> string(2) "32" 
> ["04-03"]=> int(0) ["04-04"]=> int(0) ["04-05"]=> int(0) 
> ["04-06"]=> int(0) }
> 
> I NEED IT TO LOOK LIKE:
> array(6) { [0]=> int(0) [1]=> string(2) "32" [2]=> int(0) 
> [3]=> int(0) [4]=>
> int(0) [5]=> int(0) }
> 
> REASON:
> I am getting date value from a DB, and than doing an 
> array_merge with another template to ensure that any missing 
> month for a category get a zero in the correct sequence.  
> Problem is that, the resulting array needs to have int index 
> for the graphing utility to work.
> 
> TIA
> 
> 
> This e-mail, including attachments, may include confidential 
> and/or proprietary information, and may be used only by the 
> person or entity to which it is addressed. If the reader of 
> this e-mail is not the intended recipient or his or her 
> authorized agent, the reader is hereby notified that any 
> dissemination, distribution or copying of this e-mail is 
> prohibited. If you have received this e-mail in error, please 
> notify the sender by replying to this message and delete this 
> e-mail immediately.
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> 
> 




------------------------------

Message: 9
Date: Thu, 20 May 2004 14:09:50 -0400
From: "inforequest" <sm11szw02 at sneakemail.com>
Subject: Re: [nycphp-talk] PHP License Management
To: talk at lists.nyphp.org
Message-ID: <28355-34786 at sneakemail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

I have used Zen and ionCube on small-scale projects, and I can add:

Consider your vendor in light of your support needs - how much do you 
provide and how much do your customers need. If you will be doing the 
server setup/config then maybe there's no issue, but if the customer has 
to accomodate your use of Zend or ionCube then you may want to consider 
how each of those vendors handles inquiries (since they now become a 
contributor to your companies customer satisfaction quotient). Last 
thing you need is a great product that gets a bad rep because your 
encoder vendor had some compatibility issues.

When I was using ionCube there were some issues with the order in which 
ionCube and Zend extensions were to be installed, and when I used Zend 
there were some additional issues as well related to other products in 
use on the same server. It got messy when the customer moved from dev to 
production servers, especially.  I handled the Zend issues with Zend 
support (they responded very well) and handled the ionCube stuff via 
Internet searches. In then end my solution was dependent on end-user 
server configuration -- something to be aware of. That was a year ago.

I would recommend tying the product to domain name instead of IP. Makes 
for fewer support calls and customer inquiries (change of DNS doesn't 
require support), and perhaps most importantly ties integrity to a 
brand. IMHO companies are less inclined to try beating it  when their 
brand name may be compromised/banned. There may be security issues of 
which I am not attuned that make IP a better choice.

I would also recommend you encode only choice parts using a modular 
approach, perhaps only encoding parts that tie to IP or domain, and then 
a few random bits for obfuscation. This deters the casual cracker, and 
occupies the  determined infringer. Not sure how it plays into 
performance though.

IMHO the  Zend  solution is more likely to need an update when the Zend 
suite is updated, while the ionCube product is more stand-alone (and 
perhaps may be a better value if you only need a perpetual license for 
the encoder).

Finally I have noticed alot of back and forth banter in vendor pre-sale 
forums when encoding is part of the solution, related to how it is used, 
how it effects portability (the IP vs. Domain name thing), who supports 
the server config, etc. If you make it clear that you use encoding, 
perhaps provide sufficient info up front about how it is used or you may 
end up increasing your pre-sale support costs.

-=john

Daniel Kushner nyphp-at-websapp.com |nyphp 04/2004| wrote:

>Warning: I work for Zend Technologies !
>
>
>The Zend SafeGuard Suite includes the Encoder and licensing software
>all-in-one.
>
>http://www.zend.com/store/products/zend-safeguard-suite.php
>
>Zend enjoys giving New York PHP discounts. You can contact me off list if
>you're interested ;)
>
>Best,
>Daniel Kushner
>
>
>  
>
>>-----Original Message-----
>>From: talk-bounces at lists.nyphp.org 
>>[mailto:talk-bounces at lists.nyphp.org] On Behalf Of Dan Cech
>>Sent: Thursday, May 20, 2004 13:06
>>To: NYPHP Talk
>>Subject: [nycphp-talk] PHP License Management
>>
>>Hi all,
>>
>>I've been asked to come up with a licensing solutions for a 
>>closed-source php application, and wondered if anyone had any advice.
>>
>>The application will be licensed either in perpetuity or on a 
>>subscription basis, and each license will be tied to a 
>>particular server to make unauthorised distribution more difficult.
>>
>>The idea I came up with was to create a server app where the 
>>user could log in and view/purchase/extend licenses and 
>>manage the IP address(es) each license is tied to.
>>
>>The 'license' itself would be an encrypted token containing 
>>the client id, expiry date, ip address(es) etc signed with a 
>>private key.
>>
>>The actual software would then be encoded to protect the source from
>>(casual) prying eyes (I was thinking of using the Turck 
>>MMCache encoder for this) and include code to check the 
>>license validity and take appropriate action.
>>
>>The most obvious (to me) attack on the system is to 
>>reverse-engineer the code and remove the license check, which 
>>could be mitigated somewhat be encoding the entire app and 
>>'hiding' the check within the code.
>>
>>It seems to me like a viable solution, but I'm no security 
>>expert and would appreciate any and all comments or pointers 
>>to existing solutions.
>>
>>Dan
>>
>>_______________________________________________
>>talk mailing list
>>talk at lists.nyphp.org
>>http://lists.nyphp.org/mailman/listinfo/talk
>>
>>
>>
>>    
>>
>
>
>_______________________________________________
>talk mailing list
>talk at lists.nyphp.org
>http://lists.nyphp.org/mailman/listinfo/talk
>
>  
>



------------------------------

_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk


End of talk Digest, Vol 12, Issue 26
************************************


This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity to
which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified that
any dissemination, distribution or copying of this e-mail is prohibited. If
you have received this e-mail in error, please notify the sender by replying
to this message and delete this e-mail immediately.



More information about the talk mailing list