Would someone tell me if there is a unique PC identifier (hard drive
number, or CPU number, etc.) that can be accessed remotely when the
user is downloading software. This is needed to create information on
this user to increase his security status when he is using the
software he downloaded.

---

Request for Question Clarification by tar_heel_v-ga on 11 Dec 2002 05:48 PST

Is this for a software package that you have written?  Are you looking
to assign an ID?

---

Request for Question Clarification by lot-ga on 11 Dec 2002 05:58 PST

Hello pinhasro-ga
There is one unique identifier but it doesn't really increase the
users security status (maybe there are others). This one protects the
software from being pirated, as it only runs on that specific OS/PC
combination. It can be accessed remotely if the user submits it over
the internet (if you classify that as remotely)
regards
lot-ga

---

Clarification of Question by pinhasro-ga on 11 Dec 2002 06:18 PST

1. We are not looking to assign and ID.
2. A unique identifier that can be accessed by an executable on the
machine is what we need. Any SW/HW combination will do the work for
us, as long as it is a unique number, and we can access it without
user intervention.

---

Request for Question Clarification by tar_heel_v-ga on 11 Dec 2002 06:22 PST

Does the machine in question have a network card installed?  If so,
you could use the MAC address as an identifier.  Also, what operating
system are you using?  I have found a couple of scripts that may work
as well.

-THV

---

Clarification of Question by pinhasro-ga on 11 Dec 2002 07:32 PST

This unique identifier we are looking for is for home/corporate
machines connected to the web in any possible way (dial up, networks,
etc). We are a software company providing our users with software that
they download from our site via web. When our customers download our
software in their PC, we want to register to what PC they download
using some unique identier of user's PC. We then will use later this
unique customer identifier in our software (DB), to give this customer
more security. We can write software, what we need to know what is
this unique identifier of users PC. These PCs may have many different
Windows based Operating Systems, they are located in many different
locations/countries, HW is of many types, and connected to the web any
possible way.

---

Request for Question Clarification by sublime1-ga on 11 Dec 2002 14:04 PST

pinhasro...

Having built and maintained my own PCs for some
time now, what would concern me, as a user of your 
software, is that there are few parts that I would
not change out over the course of a PC's lifetime.

Hard drives have volume numbers, but could be changed.
The CPU could be changed. The OS could be changed, or
another copy with the same serial number could be found
on another machine (somehow). Network connectivity could
be changed, so the mac address may change. Cookies can
be deleted. This being the case, why not allow the user
to enter a unique ID, such as the PC serial number, as
illustrated in the software on this cached Google page:
http://216.239.53.100/search?q=cache:vyAoRGzz8A0C:www2.kumc.edu/finance/softwareCompliance.htm+unique+%22pc+identifier%22&hl=en&ie=UTF-8

Look for the yellow and blue highlighted words 'unique'
and 'PC identifier'about a third of the way down the page.

Hello pinhasro-ga,

As far as a single unique identifier, for commodity hardware the
answer is no.  Some Intel CPUs ship with a unique identifier, but this
is not universal, and can be turned off by the user in the BIOS.

As far as generating a unique identifier, sublime has hit on the
essential problem - hardware changes.  My computer is only about 2
years old, and I have replaced the motherboard and a network card,
added a SCSI card, added a soundcard, added a second videocard, added
5 new hard drives and two new opticals, and tripled the RAM.  I also
have a removable hard drive bay, so every other time I reboot my
computer (and in fact while it remains booted), my hardware
configuration can change.  Any number generated from those variables
would change.  Now, while I'm a member of a small minority of computer
users in that regard, regular users are *very* irate when their
software stops working, and they'll be even more pissed off if they
find out that your software *deliberately* stopped working.

Microsoft has tried a scheme in the Windows XP Product Activation
which computes a hash based on what hardware you have, but this has
been cracked (in numerous unique ways) and is a real pain for anyone
whose computer changes.  If you are interested, I can try to find
numbers as to how much money Microsoft has spent supporting this
scheme (manned phone lines to let people call up and get a new product
activation code so their computer keeps working).

If I were to write software and needed to protect it from illegal
copying, I would require a serial number such as is common now. 
However, rather than a serial number that works forever, on any
machine, and basically just pisses off legitimate users and makes
illegitimate users write it on the CDR they copied the software to, I
would add some checking.  Any time your software is run while the user
is net-connected, it would transmit its serial number to your computer
network, which would validate it against a list of known-bad serials
(ones you've seen posted on the net).  If the numbers match, the user
would get a message saying that their "serial code has been
invalidated - please contact such-and-such company if you are the
legitimate owner of our product"  If they are and someone just stole
their serial, issue a new one and be on your way.  The software should
keep track of the date and number of times used, so at least once
every 1000 (or whatever) times the software is used or once a year, it
calls home or asks the user to please connect to the internet.  It is
a well-known fact that issuing certificates (such as serial numbers)
with no mechanism to invalidate compromised certs is fundamentally
flawed.

I've strayed a bit from your original question, but I hope this has
been useful.  Don't hesitate to ask for a clarification.

-Haversian

---

Request for Answer Clarification by pinhasro-ga on 15 Dec 2002 07:48 PST

Perhaps I'm not explaining myself clear, so I can't get clear answer.
Our problems is as follows: we produce software that users download to
their PCs to play games. Each user first time receives 30 days free
play. After 30 days the user has to pay for the service. Some people
abuse us, after 30 days they change their user name, and re-activate
their account as new free trial account for next 30 days. And some
nasty people do it 10 times, or even more. This causes us loss of
revenues, and also brings complaints from paid people.
We want to stop people from being able to change their user name when
playing from the same PC. We are not concerned with people changing
HD, or HW, nobody does that to cheat on us. Same with changing PC: how
many time the cheater will go to a different PC to avoid paying. After
few time he will run out of PCs available to him. The way we want to
protect us is to read some unique PC identifier when the player
downloads our software. Then we can associate this identifier with his
user name, and block his access when he will try to access the
application from the same machine but with different user name. Or,
instead of reading unique PC identifier, we may also install
"covertly" some unique number on user's PC, which we can use later to
correlate to his user name. What do think about this?

---

Clarification of Answer by haversian-ga on 16 Dec 2002 01:07 PST

In choosing a way to limit abuse of your software, you must also
consider the way it affects legitimate users.  While branding each
copy you give out with a digital certificate tied to the user's email
address, credit card number, computer hardware, and MAC address and
checking the validity of the cert against a database on your systems
would be highly effective at stopping abuse, it would be highly
disruptive to legitimate users, who would likely defect.  You probably
already are thinking about that, but it never hurts to mention it
again.

Most software (in my experience) uses the Windows Registry to denote
"been there, done that" so a new copy of the trial software cannot be
used.  Knowledgeable folk find and delete the registry key, but the
vast majority of folks don't even know they *have* a registry, let
alone can edit it.  You could also write a hidden file somewhere on
the user's hard drive that says the same thing.  Under Windows 2000 at
least, there's a folder called "Application Data" in the user's
Documents and Settings folder that's already hidden by default, so you
don't even have to hide your file.  You could write both and have your
software object if either one is missing.

Ultimately though, all you can do is make it harder; you can't keep
folks from stealing your software.  The computer your software is
running on is untrusted, and your software can't even tell if it *is*
a computer.  Software exists to run one operating system inside
another, and neither the OS nor the applications know they're not
running on real hardware.

It's not clear what this account is you speak of.  Could you elaborate
a bit?  Perhaps there is some way there to limit the number of times a
user can install your software.

You can do it using Windows SIN number (unique to each machine not
install) but it would have to be executed locally and would not work
on unix boxes or macs.

Windows for XP has *did* it with ids of individual components (as you
say hard drive number, or CPU number, etc.) all of which is incredibly
simple to pull locally with a number of machine calls (programming
specifics would constitute writing them).  The problem was what
constitutes 'a computer' when you can pull out parts and add others
was in question.  They killed this just post beta with the 'business'
fix however as it required a level of support which even they and oems
could not handle.  (I change my video card and the @&#!$ software died
etc.

There's probably no practical way to do this.  At least from a
standard web interface, anyway.  MAC addresses, while a good start,
aren't reliable because they can be filtered (and altered) by
firewalls and are actually programmable in some newer network devices.
 Intel attempted the unique serial numbers (their Processor Serial
Number, PSN, in some of their Pentium III line) but the public outcry
over privacy rights violations was enough that Intel backed down from
it.  (And users with CPUs with PSNs can disable the feature in the
BIOS).

Having the user register / choose an ID is probably the only
fool-proof way of matching the software to the user.  Anything based
on machine hardware is apt to change.

Duncan2-ga

Perhaps I'm not explaining myself clear, so I can't get clear answer.
Our problems is as follows: we produce software that users download to
their PCs to play games. Each user first time receives 30 days free
play. After 30 days the user has to pay for the service. Some people
abuse us, after 30 days they change their user name, and re-activate
their account as new free trial account for next 30 days. And some
nasty people do it 10 times, or even more. This causes us loss of
revenues, and also brings complaints from paid people.
We want to stop people from being able to change their user name when
playing from the same PC. We are not concerned with people changing
HD, or HW, nobody does that to cheat on us. Same with changing PC: how
many time the cheater will go to a different PC to avoid paying. After
few time he will run out of PCs available to him. The way we want to
protect us is to read some unique PC identifier when the player
downloads our software. Then we can associate this identifier with his
user name, and block his access when he will try to access the
application from the same machine but with different user name. Or,
instead of reading unique PC identifier, we may also install
"covertly" some unique number on user's PC, which we can use later to
correlate to his user name. What do think about this?

pinhasro,

If you have not already done so, create a "bad" list of the
name/address/phone/e-mail information previously identified as
belonging to mis-users of your software. (When a trial user's 30-day
period ends and they don't subscribe, move their information into this
database as well. If they come back later and pay for a subscription,
however, be sure to remove their information from this database. Paid
subscribers whose subscription expires should be also moved into this
database.) Before allowing a trial user to download the software,
check their info against this database.

Then, try modifying your software to:
1) Install a registry entry, and
2) Install an entry in Windows' "Application Data" folder
when the software is installed on a PC.

Also, modify your software to check for both of these entries when it
is installed. If either one of them already installed, your software
should disable itself (maybe after re-installing the registry entry or
the Application Data entry if only one of them is missing).

This is not a perfect solution, but only the most savvy computer users
will know to look for and delete the entries in both places; the rest
will be busted. Add the contact info that they supplied to your "bad"
list.

I hope you find this information helpful to your situation.

Regards,

aceresearcher