• Advertisement
Sign in to follow this  

How to write (kinda) spyware

This topic is 4146 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Well, ok, not spyware, because it's against forum rules and its bad, but something close to that. The problem: I need to allow only few people behind NAT to access my web page. The username/password won't help, as it's actually the machines I need to restrict not people and if 50 people come to PC during the day... I think that renders this solution useless, not to even think about password sharing among other machines if they are available to users... Nothing on earth seems to alow me to enforce such access rules, because all the mechanisms are just a cut-off versions of the needed ones... The software will be installed with user permission and such, if I can't avoid installing junk on clients PC, but I need access control mechanism realy bad and I just don't want to resort to super fugly/$$$ way of ssl...

Share this post


Link to post
Share on other sites
Advertisement
Why not just use a .htaccess or PHP to restrict access to only the IPs of the machines you want?

Share this post


Link to post
Share on other sites
If you're just hosting a single website on your machine, block connections to the server's port (80) using your firewall to anybody outside the allowed range. If you're running multiple sites, edit that particular site's access permissions (IIS provides a mechanism for this IIRC, as does Apache).

Share this post


Link to post
Share on other sites
Ok, I'll do some drawing... EDIT: no drawing... spaces are getting eaten


(My WEB) ---- NAT ---- PC (A,B,C and probably few hundred more)

I have a good users siting at the PC A, and evil users at PC B and PC C... The problem is that they all use one IP address and if I block it, users at PC A are blocked for good...

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
ah yeah, i think i understand...
its similar to:

YOUR_SERVER ---- ISP ---- YOUR_ROUTER ------ YOUR_LAN ---- PCs [yours, others]

what about using a vpn and storing the password locally on the allowed pc(s) ?

Share this post


Link to post
Share on other sites
Yea, that's the problem... :(

And VPN is only good if I need them to be in my LAN. I just want to serve a web page to probably quite a few people, VPNning the whole system would be extremely burdensome, resource hungry and so on... :(

Storing password localy... I don't know how to do that in ASP or PHP, unless I use cookies... That can be cleared... Moreover, IIRC they might be unique for every logged user...

Share this post


Link to post
Share on other sites
Out of interest, why do you need to only allow access to your site from certain machines, not users, if they're all behind the same NAT anyway?

Share this post


Link to post
Share on other sites
Imagine 3rd world country... Thousands of people are dialing in every day (ISP uses NAT, or even worse, NAT+Proxy), they all share one IP, and I just see that one IP is accessing my server resources...

Passwords... One user gets it... he posts it on some forum... And username+password+IP check is OK for, lets say half of China...

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Quote:
Original post by _Madman_
Imagine 3rd world country... Thousands of people are dialing in every day (ISP uses NAT, or even worse, NAT+Proxy), they all share one IP, and I just see that one IP is accessing my server resources...

Passwords... One user gets it... he posts it on some forum... And username+password+IP check is OK for, lets say half of China...


And what are you going to do about it then? Install spyware on the computer of all people in the world, so they can't get onto your website, presumably without paying? That's the most retarded idea I ever heard.

You either post something on the internet for everyone, or have them get an accout with a password. That's the way it works.

If this isn't applicable to your problem, lay off the jacky and stop talking about a generic problem instead of your specific problem.

Share this post


Link to post
Share on other sites
Quote:
Original post by Anonymous Poster
Quote:
Original post by _Madman_
Imagine 3rd world country... Thousands of people are dialing in every day (ISP uses NAT, or even worse, NAT+Proxy), they all share one IP, and I just see that one IP is accessing my server resources...

Passwords... One user gets it... he posts it on some forum... And username+password+IP check is OK for, lets say half of China...


And what are you going to do about it then? Install spyware on the computer of all people in the world, so they can't get onto your website, presumably without paying? That's the most retarded idea I ever heard.

You either post something on the internet for everyone, or have them get an accout with a password. That's the way it works.

If this isn't applicable to your problem, lay off the jacky and stop talking about a generic problem instead of your specific problem.


I got to earn money somehow, take a look at techreports poll about percentage of pirated music they have. Depressive amount of people have 90%-100% ripped content.

You can say that the price is not right or something, but it's the laziness and money spent on girls/alchochol/other stuff that is reason enough to avoid paying if you can get something for free.

So, excuse me, but if you can't offer me a real solution, just shut up, and keep waiting till it's all rosy and cool around.

I am not a spyware fan, but I need to find some sort of solution, I guess some developers should understand the problem behind all this.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Quote:
Original post by _Madman_
Quote:
Original post by Anonymous Poster
Quote:
Original post by _Madman_
Imagine 3rd world country... Thousands of people are dialing in every day (ISP uses NAT, or even worse, NAT+Proxy), they all share one IP, and I just see that one IP is accessing my server resources...

Passwords... One user gets it... he posts it on some forum... And username+password+IP check is OK for, lets say half of China...


And what are you going to do about it then? Install spyware on the computer of all people in the world, so they can't get onto your website, presumably without paying? That's the most retarded idea I ever heard.

You either post something on the internet for everyone, or have them get an accout with a password. That's the way it works.

If this isn't applicable to your problem, lay off the jacky and stop talking about a generic problem instead of your specific problem.


I got to earn money somehow, take a look at techreports poll about percentage of pirated music they have. Depressive amount of people have 90%-100% ripped content.

You can say that the price is not right or something, but it's the laziness and money spent on girls/alchochol/other stuff that is reason enough to avoid paying if you can get something for free.

So, excuse me, but if you can't offer me a real solution, just shut up, and keep waiting till it's all rosy and cool around.

I am not a spyware fan, but I need to find some sort of solution, I guess some developers should understand the problem behind all this.


Have fun in jail.

Share this post


Link to post
Share on other sites
Quote:
Original post by Anonymous Poster
Quote:
Original post by _Madman_
Quote:
Original post by Anonymous Poster
Quote:
Original post by _Madman_
Imagine 3rd world country... Thousands of people are dialing in every day (ISP uses NAT, or even worse, NAT+Proxy), they all share one IP, and I just see that one IP is accessing my server resources...

Passwords... One user gets it... he posts it on some forum... And username+password+IP check is OK for, lets say half of China...


And what are you going to do about it then? Install spyware on the computer of all people in the world, so they can't get onto your website, presumably without paying? That's the most retarded idea I ever heard.

You either post something on the internet for everyone, or have them get an accout with a password. That's the way it works.

If this isn't applicable to your problem, lay off the jacky and stop talking about a generic problem instead of your specific problem.


I got to earn money somehow, take a look at techreports poll about percentage of pirated music they have. Depressive amount of people have 90%-100% ripped content.

You can say that the price is not right or something, but it's the laziness and money spent on girls/alchochol/other stuff that is reason enough to avoid paying if you can get something for free.

So, excuse me, but if you can't offer me a real solution, just shut up, and keep waiting till it's all rosy and cool around.

I am not a spyware fan, but I need to find some sort of solution, I guess some developers should understand the problem behind all this.


Have fun in jail.


What jail has to do with this? I only need to check say MD5 of users MAC address with the one I have in my database, and restrict if username+password matches but MD5 of MAC doesn't match any of the known ones.

There is no private information transmitted, moreover I would openly admit that I'm sending something over the net, or storing on the PC.

Edit: Ok, I might need to have a licence agreement that says logging with username that is meant for semi-public access you agree that some form of PC identifying information is transmitted.

It's just stupid that if you want to make some sort of web information accessible to, say hospital visitors, you have to force them to enter password everytime they use public terminal, and live with consequences that the password he enters can get leaked for use to general public, therefore robbing income and slowing down or stopping the improvement and support of the system.

So actually I think my intentions are not that bad, despite tha fact they need some half-shady practices to get them working.

Do you think WGA validation should lead to general arrest of everyone at Microsoft?

[Edited by - _Madman_ on October 18, 2006 10:55:54 AM]

Share this post


Link to post
Share on other sites
Quote:

Do you think WGA validation should lead to general arrest of everyone at Microsoft?


No, but we can dream can't we?

As for your question, it's not spyware if it's openly disclosed. It's an authentication program. However, if you're worried about users sharing their usernames and passwords, what's to prevent them from spreading around the program as well? Or even making a program that spoofs the data that is sent to your servers? Anything you can think up, someone can find a way around.

And AP, please don't flame. It's not spyware, so you have nothing to be upset about.

-overflowed_

Share this post


Link to post
Share on other sites
Quote:
Original post by overflowed_
Quote:

Do you think WGA validation should lead to general arrest of everyone at Microsoft?


No, but we can dream can't we?

As for your question, it's not spyware if it's openly disclosed. It's an authentication program. However, if you're worried about users sharing their usernames and passwords, what's to prevent them from spreading around the program as well? Or even making a program that spoofs the data that is sent to your servers? Anything you can think up, someone can find a way around.

And AP, please don't flame. It's not spyware, so you have nothing to be upset about.

-overflowed_


Well, the amount and structure of data is dynamically generated, so it's not that easy to share, and spoofing of 1 or 2 connections is not exatly the same as when one city has one IP and everyone in every corner can just enter a password their friend is using and not even bother about anything...

Thinking that there will be no piracy is stupid, but lowering the amount to one third is a work worth doing...

Share this post


Link to post
Share on other sites
Well, your problem seems to be a classic one. How do you allow access to only a few allowed people? If you use a program, what stops them from sharing the program? If you use accounts, what stops them from using accounts? If you restrict hosts, what stops them from sharing their computer?

You have to cut your losses at some point. I understand that you don't want to use user authentication, but it may be helpful if you were a little more specific about what you're trying to restrict, and why traditional methods wouldn't work for you.

Is it just a web page? Is it a web based program? Is the content of the page what's important? A little more information can help to understand what you're trying to do, and what method is best to do it.

Share this post


Link to post
Share on other sites
A browser plug-in?

A program that embeds a browser with strange connection settings?

Remember, the client can run an emulated machine -- so in the end, what you ask for cannot have perfect security.

Share this post


Link to post
Share on other sites
What part of the world are you from where an entire city has the same IP address? Also, are these third-world people the ones you're looking to make your money from, or is your content for a broader audience?

Share this post


Link to post
Share on other sites
How about some kind of bandwidth limitation? Use regular usernames and passwords, but limit how much you send to each logged in user. That way if someone started handing out their username and password then then end up with a nigh-on unusable service. Make that clear when they sign up and you'll also have a motivation not to share their own account. (Now I think about it, this is much like the approach taken with Steam).

However without knowing what your service is that half the population of china wants to access, it's very difficult to suggest practical alternatives.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Here's how it's done. Use a username and password. And only allow one login at a time, with a session cookie in the browser or something. So now, one account can only be used by one person at the time - which would presumably be what they're paying for anyways (but I can't be sure because you aren't very specific).

And here follows a crash course in marketing, just because I'm so nice:

Make your paying customers happy, so they stay with the service. Getting a new customer is on average 6 times more expensive, marketing wise, than keeping an existing customer. Making your customer happy does not include making them jump through hoops installing additional programs or plugins for no good (to them) reason. How many "pirate" users are you expecting per account, exactly? Are you expecting six times more pirates than normal users? That doesn't sound reasonable at all, does it? And consider that most of those who "pirate" the service wouldn't think of buying it anyways, and the number of lost sales turns out not to be that much at all (serving a web page to one person is almost free expense wise).

The point of the above paragraph is that at some point your anti-piracy measures will affect your bottom line negatively, and it's probably sooner than you think. So the most financially sound thing to do is just stop obsessing over it.

Share this post


Link to post
Share on other sites
If it's machines that you need to restrict, a couple of useful search terms are "kiosk mode" and "lock down" (or variations thereof).

Share this post


Link to post
Share on other sites
Ok, I will try to sum what I said before, and clear up what I can imagine.
* I live in the post-USSR country, where internet providers are keeping speed down, connections are expensive and extras like real IP are accessible only at additional fee AND ONLY if you know that they should offer such service and ask expicitly for it.
* I am trying to protect the content, not the website as it is.
* I need some PC's that would allow any one who uses this and only this PC to access content for free, yet those PC's are not kiosks or something, just regular PCs behind nats and proxies.
* The website coverage is countrywide, so no localizied approaches are applicible

So it seems for me that it all comes down how to uniquely identify PC at logon. And I mean PC, because cookies are not any good as IE/FF/Opera, each can have a cookie, and if all browsers are open and logged in on my site, they are still valid if they use same PC.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Quote:
Original post by _Madman_
Ok, I will try to sum what I said before, and clear up what I can imagine.
* I live in the post-USSR country, where internet providers are keeping speed down, connections are expensive and extras like real IP are accessible only at additional fee AND ONLY if you know that they should offer such service and ask expicitly for it.
* I am trying to protect the content, not the website as it is.
* I need some PC's that would allow any one who uses this and only this PC to access content for free, yet those PC's are not kiosks or something, just regular PCs behind nats and proxies.
* The website coverage is countrywide, so no localizied approaches are applicible

So it seems for me that it all comes down how to uniquely identify PC at logon. And I mean PC, because cookies are not any good as IE/FF/Opera, each can have a cookie, and if all browsers are open and logged in on my site, they are still valid if they use same PC.


So you want people to authenticate themselves without actually authenticating themselves? Good luck with that.

You misunderstood the idea about the session cookie, by the way. Randomly generate a new cookie for each login, the cookie will be unique to that user for that session. If someone else logs in from another computer again, he will get another, different random cookie, and the first logged in user you can log out at the server then.

Share this post


Link to post
Share on other sites
Quote:
Original post by Anonymous Poster
Quote:
Original post by _Madman_
Ok, I will try to sum what I said before, and clear up what I can imagine.
* I live in the post-USSR country, where internet providers are keeping speed down, connections are expensive and extras like real IP are accessible only at additional fee AND ONLY if you know that they should offer such service and ask expicitly for it.
* I am trying to protect the content, not the website as it is.
* I need some PC's that would allow any one who uses this and only this PC to access content for free, yet those PC's are not kiosks or something, just regular PCs behind nats and proxies.
* The website coverage is countrywide, so no localizied approaches are applicible

So it seems for me that it all comes down how to uniquely identify PC at logon. And I mean PC, because cookies are not any good as IE/FF/Opera, each can have a cookie, and if all browsers are open and logged in on my site, they are still valid if they use same PC.


So you want people to authenticate themselves without actually authenticating themselves? Good luck with that.

You misunderstood the idea about the session cookie, by the way. Randomly generate a new cookie for each login, the cookie will be unique to that user for that session. If someone else logs in from another computer again, he will get another, different random cookie, and the first logged in user you can log out at the server then.


Basically I want the PC to do the logging for some PCs and users for the rest.

The idea about cookies is nice, although it has some problems with multiple browsers opened at the same time and if someone steals password and uses it on another computer. In that case legit and unlegit user will be kicked out in turns, but thats probably their fault... :)

Thank You for the suggestion, I'll try to test it out.

Share this post


Link to post
Share on other sites
Well, it seems like no matter what, they'll need to authenticate at least the first time they access your content. Why not offer a username/password for registration, and then create a profile that contains data like OS, hostname, domain or workgroup ID, CPU, HD serial number or model number. Allow a few of the pieces of data to change over time so you don't screw over the guy who upgrades his box. If the profile changes completely, then you should allow that too, but lock out the original configuration. That will punish the guy who shares his login, but not stop someone who upgrades too much.

Share this post


Link to post
Share on other sites
Most website owners are worried that their website won't be popular enough... on the other hand you seem rather concerned that half of China will want to visit your website...

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement