1 2 Previous Next 16 Replies Latest reply on Mar 5, 2015 7:04 AM by schamblee

    Licensing for Runtimes or FM Go

    tays01s

      Title

      Licensing for Runtimes or FM Go

      Post

      I've barely started learning about security so forgive my naive Qs.

      However, adapting from other suggestions I have a button/script on the entry layout:

      If [ IsEmpty ( Front::PermanentID ) ]
      Set Field [ Front::PermanentID; Get(PersistentID) ]

      Else If [ Front::PermanentID Get(PersistentID) ]

      Show Custom Dialog [ Title: "Purchase Copy"; Message: "This is a different computer from the one the software was purchased. Please purchase a copy from: Nutritionsupport.info."; Default Button: “OK”, Commit: “Yes”; Button 2: “Cancel”, Commit: “No” ]

      Beep

      Exit Application Else

      Go to Layout [ “Front” (Front) ] End If

      This appears to work in that if there is no PID or the PID is correct, I get taken to the Front layout from which users would navigate using buttons alone (no menus). If I make the PID incorrect, it exits FM (not yet tested the RT solution).

      Qs:

      1. How do I ensure the Front_open layout is the only layout that can be opened on starting the solution but then remains invisible [use 'hide object when' in layout>data>behaviour FM13? I've got FM12 currently]?

      2. Aside from removing the Admin account for the RT version (Kiosk mode), what else do I need to consider in terms of security, particularly for an FM Go version?

      3. Is my PID script above enough to prevent piracy in the context that everything can be hacked, but this will be a $20-40 solution so there's a limit to the expense I'd gone in for to protect it.

      4. I have a website, can upload FM files, have a PayPal button to arrange payment/ download. However, how do I prevent multiple downloads for a single payment (timing?).

      5. Because some genuine users will change hardware I had considered having a second 'user ID' to offer them a heavily discounted copy. However, a. would this need to be handled by a website dialogue to input their user ID and permit access to a discounted copy and b. Is there any way you could prevent institutions/people effectively bulk buying and distributing copies cheaply?

      Again, sorry that my Qs are rather basic!!

        • 1. Re: Licensing for Runtimes or FM Go
          tays01s

          Are there no takers for this query??

          • 2. Re: Licensing for Runtimes or FM Go
            TKnTexas

            I am not able to answer this, but I would love to see the answers.  

            • 3. Re: Licensing for Runtimes or FM Go
              schamblee

              1.  The hide object would be used to hide objects on a layout, it does not hide a layout.  It could be scripted in your startup solution if it is not a paid copy then go to  the purchase layout, else go to your dashboard / main screen.

              2.  FM Go security is the same as on the desktop, except most ios device are setup to access the device with a pin or finger print, so I would say the ios device may be more secure.  The database that you put on the ios device is not a runtime, you only copy the database to the device, which is the database with a different file extension, if copied out of the runtime folder.  This file will open in FM, this file will be limited based on the security settings of the database.  The runtime creation in filemaker doesn't turn the file into a standalone runtime file.  It basically creates a runtime of Filemaker that runs your database and Filemaker go does not use filemaker.  Filemaker Go is the runtime for an ios device.

              3. Anything can be hacked.  The main issue will be how the ID is created, is the ID encrypted, and can the user copy the database with the same ID and reenter the activation code on this copy to active another copy on another machine.  What causes the ID to be recreated?  (I don't need the answer, you just need to consider the question and answer) . 

              4. Paypal has a digital content ability where you can email the file / email a download link.  I don't have all the details on this, I sent Paypal a email today asking how to set this up.  I will have to let you know after I get this setup.

              5.  There no guarantee way to stop someone from stealing your work.  I one suggest that you have a copyright notice on your software.  You don't have to do anything special to have a copy right on your software.   You are more protected, if you have a notice and then if you find out someone stole your work then you can sue them.  Granted you have to prove that it yours.  It may cost you more than it worth to sue, but you have the option.

              I suggest that you make it difficult for the user to steal, create a license agreement (you can find free copies online), I also suggest having an about button in your database that covers your license agreement, copyright, additional cost of support, and how to obtain support.  A license agreement is very important, you don't want to be responsible for lost data.  

               

              • 4. Re: Licensing for Runtimes or FM Go
                tays01s

                Thanks. I'll start working on this lot. I'm probably the millionth to say this, but it's surprising that FM haven't put together some security solutions/ pathways, even with loads of disclaimers. It would help a lot of people get to market. Anyway:

                1. Front layout: So I need to make access only through a 'Front' layout, using a script. Correct?

                2. Solution versions: OK, if I'm wanting to make my solution available to non-FM users, I create an RT solution for Windows/OSX but take the DB from this, re-name the extension back to .fmp for use with iOS. Correct?

                3. ID security: The start I've made is that on opening the DB is entered only through a script that checks the Persistent ID in the DB with that of the device. If it's not the same, the user gets asked to purchase a DB. However, if the DB has never been used, the script grabs the PID ready for next opening. Please correct me if I'm wrong but since the user doesn't enter anything or see the ID I am assuming that once the PID is created, the DB won't work if copied to another device. 2 weaknesses obvious even to me:

                a) Pre-PID: I don't know how to prevent copies being made prior to PID creation.

                b) PID encryption: i. How do people manage to intercept/ find this to make encryption necessary and ii. how do you do it? I have seen 3 methods advertised, all seem old to v. old and cost $100's-1000s and none give dummies like me an understandable explanation of their use.

                4. Paypal: Yes, please post any info they give.

                5. Copyright: I'll adapt some working and post a link to a copy when I've finished.

                • 5. Re: Licensing for Runtimes or FM Go
                  schamblee

                  1.  Use the script trigger  OnFirstWindowOpen to load a startup script to select the correct layout.  The starter solutions use a startup script trigger.

                  2.  I include the solution version on my about screen.  This is very important after a year of two of selling your database you will not remember who purchased which version.  Most companies will charge updates after a period of time.

                  3.  Persistent ID.   The Persistent ID has had some issues on ios devices.  I understand from Filemaker this has been fixed.    You might want to Google others recommendation on this.  http://help.filemaker.com/app/answers/detail/a_id/12074/~/behavior-differences-of-get-(persistentid)-and-get-(systemnicaddress)-when-used .

                  4.  I suggest using a activation code that works in tandem with the Id to prevent users from making illegal copies.  If you give full access to your database a user can figure out how to decrypt your activation code.  There are encrypting / decrypting functions on Brian Dunning.  I have made  my own system, I can't give it out because people will learn how to decrypt my databases.  Again it really doesn't have to be a difficult system because a full access user can figure out if they want.  It's a matter of making it difficult for the user to steel.  This can get complicated, so you have to justify the trouble compared to what you will lose if your database gets stolen.   No need to speed a $1000 so you only make $50 and lose $950.  Time is just as valuable as money, in my opinion they are equal.

                  5.  I haven't heard back yet.  It stated on their website they will contact me in 24 hours, which it will take me some time to get it working and this 24 hours may be work days

                  6.  Copyright can be basic on opening screen / about screen.  Example  Copyright 2015, All Rights Reserved.  I don't know where I got this but I have been using with a different year for years.  I put a more detail Copyright in my license agreement, such as those used on movies.

                  7.  I added this number because any business application should have a release of liability in the license agreement.  In a sue happy world, this could break a company, so protect yourself. 

                  I started selling my first database (FoxPro database) about 23 years ago and no I didn't have any of this stuff (crap) in my first few databases and I'm still here selling databases.  You have to start somewhere and add on as you learn more and make more money.  You have to look at what you are making and not what you are losing when it comes to people stealing your work.  It going to happen, so don't worry to much about it, move on to the next deal.  It kind of like car repairs and buying gas for your car, it cost but it doesn't stop you from buying a car or using a car, it just a fact of owning one.

                  • 6. Re: Licensing for Runtimes or FM Go
                    schamblee

                    Paypal emailed me back and the email didn't give much information.   The instruction I found is for their classic API, and when  I login I getting their new API, so I had to switch to classic so I could follow the instructions.   Basically, you need a business Paypal account, then there is a link to create different types of "Buy Now Buttons".  There are a couple of examples.   I setup a couple of these buttons.  You have to setup your website payment preference with a return URL, which take the customer to a page on your website that the order has complete and you will email them about their order.  There is a Payment Data Transfer setting that you have to enable then information is sent back to your website about the order, such as completed or failed, then you either send them a email with a download link to the file or a email about the payment failed.   Hopefully I will have this setup and completed in the next couple of weeks or sooner.

                    • 7. Re: Licensing for Runtimes or FM Go
                      tays01s

                      Thank you. All of this is v. useful and most makes perfect sense.

                      4. Activation: This is the trickiest bit for me. I assume one can hard-code a 'user-specific' activation key into each copy of the solution along with the user's Persistent ID (PID) that they have given you. However, I'm not sure how you can automate this without there having to be website coding (beyond me and therefore expensive).

                      I won't be intending to give full access so does that obviate the need for encryption?

                      5. Paypal:  I will try this as soon as other problems are sorted.

                      • 8. Re: Licensing for Runtimes or FM Go
                        schamblee

                        4 .   I have a company information table in my databases, which contains the company information and the installation information for that company.  In my startup script I check the find count in this table and it is empty before an install and has one record after install.  I have a auto-enter field that creates my installation id and this id is based on the current date.  This id can also contain the Persistent id and then you encrypted this field.  As I have stated there are free custom encryption and decryption functions on Brain Dunning website.  I would change up these functions some to make it harder for someone to decrypted.  The Installation id which will be the encryption code and this id can have different items added to it at install.  It could also include part of the company name, address, phone number and or zip. Anything to make harder for the user to figure out.  The user will have to call you / go to your website for an activation key.   This activation number is the installation id encrypted, so in your startup script you will decrypted this activation id and it should match the installation id.  No one will know what makes up your installation id because this should be a mix of different items as listed above and will only be in the order you place the items.  Basically the activation id is a checksum number of the installation id.  There are several different ways to use a checksum number too, because dummy number can be added to either or both id numbers and only you will know that that part is a dummy number.  Think of window installation id is like 10 fields of 5 characters and each field can be an encryption of any part of the items listed above.  I will give random example for an installation id.   FILEM-KLTY-09512E8831E83928A09E21F697C251K2-735658-AYCX, this id will get encrypted to give activation id.   My sample installation id contains the first 5 letters of the company name (Filemaker),four dummy letters, the persistent id number, the date in number format, four dummy numbers.   The dummy number can be ignored when you encrypt the id number it is up to you.  Sorry about the different fonts it changed when I pasted the persistent  id is in my example. The persistent id is not real, I changed numbers and letters in it.

                        Sorry if I miss spelled anything or left words out I didn't proof read. 

                        • 9. Re: Licensing for Runtimes or FM Go
                          tays01s

                          4 . Just to check if I understand this:

                          a. Store user and installation info in a DB table.

                          b. Startup script checks the find count in this table. It is empty before an install and has one record after install.

                          [Q: Where is this DB containing the user/install info?]

                          c. Auto-enter field creates the installation id based on the current date and Persistent id; this field is then encrypted. [Q: Brain Dunning website has a demo, sadly doesn't seem to work on my Mac, but the actual 'Easy Encryption' is $99.].

                          [Qi: Is what you mean by “I would change up these functions some to make it harder for someone to decrypt.” that you will add to the Installation id different items from Persistend ID + 'user info' (ie. company name, address, phone number and or zip)?

                          [Qii: Would user info be sent an email? And

                          [Qiii: Presumbably there would be an FM field that calculates the installation ID from Persistend ID + 'user info'.

                          d. Activation key: You say the user would call or visit the vendor's website to get this encrypted key, then the FM startup script would decrypt it and check it against the installation id [c. Qiii].

                          Qi) Presumably you are supplying a key that they copy into a field and that this field & the field with PID+user info are compared in a checksum at startup.

                          e. Explicitly how do you create 'dummy numbers' & I wasn't sure what you meant by a “window installation id is like 10 fields of 5 characters and each field can be an encryption of any part of the items listed above.” Was the 10 by 5 just an eg.? It could be any combination?

                          f. Info exchange: I can see that manually communicating user info from user to vendor and activation from vendor to user is fine for low volume/ high value solutions but you'd need an automated process for high volume/low value solutions. Is there any way to avoid needing web-pages being specifically coded to accept user info and issue the activation key?

                          • 10. Re: Licensing for Runtimes or FM Go
                            schamblee

                            4 a Yes,  there is no prefect solution.   You have to make it hard for someone steal.   Display company name on the main screen and make it very hard to access to change, and include the company name or part of the company name in the installation id and compare these to in your startup script.

                             b. yes.  You place a table in  your database.  That contain this information.  I base my startup screen / dashboard on this table.   It really doesn't have to be related to any other table because it just contains install information. Your startup script can copy the company name and address to global fields to display registered to information on the startup screen.

                            c. There are several free encryption functions on there website.    There are several different type of encryption that  you can Google then write your own function.  It's not like  your trying to encrypted bank data, so your encryption does not have to be fancy.  
                            Your Installation id would be in different order (items contain within it) and or contain different information that I put in sample.   To make it easier for me to read I may have two or three calculation fields to make up the final calculation.
                            d.  Yes, each time in the startup script the information would be compared.  You would have another calculation field or custom function. 
                            e. Dummy letters,  that your that calculation would ignore in the encryption /decryption cycle.   You would have a another calculation field, would random let pick a set of dummy letters.  Microsoft Windows generates a long installation id for the user to call Microsoft if the internet connections, does not work, and you give this number to Microsoft.  It was an example.  Just like several of software companies. 
                            f.  The Paypal process can sent the installation id and then you would email them back the activation key.  Paypal will create a general button and then I modified this button to add the installation id.  I have a Buy Now button in a web viewer in my database on the activation screen.  The activation screen tells the user that I will email them the activation code within 24 hours.
                             

                            • 11. Re: Licensing for Runtimes or FM Go
                              tays01s

                              Taking one of the Brian Dunning site downloads as an example:

                              //OK_Encrypt ( Text ; Key )
                              // 12-29-10 Peter Vinogradov

                              Let (

                              [
                              Ki = If (Left ( Key ; 2 ) <>"||" ; "||1||" & Key ; Key );
                              i = GetValue ( Substitute ( Ki ; "||" ; ¶ ) ; 2);
                              Key = GetValue ( Substitute ( Ki ; "||" ; ¶ ) ; 3);
                              v = Char ( Code ( Left ( text ; 1 ) ) + Code (Middle (key ; i;1) ) );
                              Text = Right ( text ; Length (text)-1);
                              i = If ( i>= Length ( key); 1 ; i+1)];
                              v & If (Length (text) ; OK_Encrypt (Text ; "||" & i & "||" & Key) ))

                              I haven't used custom functions before, but I'm assuming that 'key' is a function parameter. However, what do I do with OK_Encrypt? My calc field is wanting an operator after this item; it doesn't know what it is.

                              • 12. Re: Licensing for Runtimes or FM Go
                                schamblee

                                OK_Encrypt is the name of the new custom function, which will also have to be used in your calculation field.   There are two parameters, Text and Key.    Your Calculation field would be OK_Encrypt(table::installationId;table::keyfield)

                                I copy the function from Brain Dunning website and tested and it worked.

                                 

                                • 13. Re: Licensing for Runtimes or FM Go
                                  tays01s

                                  So:

                                  1. Text is whatever you want to encrypt, eg. Persistent ID?

                                  2. Explicitly (because this is all new stuff to me) what do I put in the 'Keyfield'?

                                  I assume any calc field in which I put my function should be 'text', not a number?

                                  • 14. Re: Licensing for Runtimes or FM Go
                                    schamblee

                                    The text would be the information you would want to encrypt.  I don't think there would be a reason to encrypt the Persistent Id.  I create a Installation Id that has nothing to do with the Persistent Id and my installation id contains the install date and I encrypt that text. 

                                    The key of that custom function is the basis of the Encryption.  It can be anything you want.  You have to use that key to decrypt the message.

                                    My Installation Id is the results of my encryption which only contains numbers and letters.  These numbers and letters can represent any thing.  In my id, part of it is the install date, then My Activation Code contains the install date also encrypted and they must match to be a valid copy. They don't know it is a date because it is encrypted.   You can also have in the activate code letters representing the company name or address, so if the company name or address changes in the software the code would be invalid.  My startup compares the installation id and activation id, then it compares the activation id to the companies information.  If any changes in the company information would make the activation id invalid, and a user that steal your work would want their name and address displayed on screen and on the invoices not the company they got it from.  If they are able to make a blank copy then the installation id would change the install date which would make the activation key invalid because the install dates would not match.

                                    Is it clear as mud yet? smiley

                                    1 2 Previous Next