Controlling who can run an executable

Mike Meyer mwm at mired.org
Mon Oct 3 23:36:40 EDT 2005 

"Cigar" <chrisgarland67 at hotmail.com> writes:
> Now that I'm three months into the development of this program, my
> client tells me she would like to protect her investment by preventing
> her employees from doing the same to her.  (Going to the competition
> and using her program.)

First thing to know; you can't stop someone who's sufficiently
determined to run the program. The best you can do is raise the cost
of breaking your security to be more than any value that could be
gained from doing so.

> What my client cannot prevent:
> - access to the .exe
>
> What my client is looking to prevent:
> - running of the exe by un-authorized individuals.

Not quite.

> Ideas I've had to prevent someone from running the app:
> - ask for a password every time the program is run. (I wonder how
> quickly they will complain about this, not very secure once everyone
> eventually finds out what the password is)

If only authorized people have the password, then this works. The
problem is that her employees are probably authorized, but she doesn't
trust them to not take the program to her competition. Which brings
up an alternative goal:

Prevent running of the exe on unauthorized hardware.

> - make a little hardware dongle and check to see if it's on the
> parallel port. (old idea)
> - check for an encrypted flash drive and try to read an encrypted file
> from it. (new idea)
> - buy the client a Microsoft Fingerprint Keyboard and figure out if it
> will make the clients life easier (two minutes of research showed this
> idea has multiple problems)

Note that these three all use the idea of unauthorized hardware, not
people.

You don't need to install special hardware to get that. There are a
number of pieces of hardware that you can find in a modern computer
that may have a unique serial number you can use as a
dongle. Possibilities include a CPU serial number, an HD serial
number, and the MAC address of any network cards: ethernet, wireless,
and apparently FireWire drivers have them. People have used all of
them in the past.

> What I want:
> - the simplest thing that could possibly work!

Telling her "Don't let your employees near the computer with media, or
when it's connect to a network."  That could possibly work, for some
definition of work. You need to define how difficult you want breaking
your security to be. Then we know what "work" means, and can figure
out what "the simplest thing" is.

    <mike
-- 
Mike Meyer <mwm at mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

More information about the Python-list mailing list