Topic: Secure Counter for Lisp (pay per click)

[Peter2]

I'm trying to find basic ideas for a - simple and secure - "pay per click" solution, based on Lisp.
(Yes, maybe "simple and secure" are no a combination, but an antagonism  ).

Each call of a lisp-file should increase the counter: 51, 52, 53, ...

Idea 1:
use an INI - read file - add +1 - write file
-> problem: everyone can modify the file

Idea 2:
use the INI, but decrypt the content
-> problem: everyone can remove the file (intentional or unintentional)

Idea 3:
use INI plus REG with GUID in synchronization plus decryption
-> problem: ??

At the moment this seem to be a reasonable(?) solution for "simple and secure", but if there are better ideas or better solutions I will be happy to read you comments.

[Bhull1985]

Hrm....think I've seen this done via registry modifications. That way people can't as easily modify them. Could probably find these by a search similar to "registry trial lisp code"

Additionally, couldn't you just set a global variable/use the vl-bb-set (and vl-bb-ref) to establish a counter variable, and with that established put your code into a loop. If the counter > the number of "trials" you wish to allow, then exit the loop and inform user?
If the counter < number of trials, enter main program loop.
Naturally, increment counter variable after successful run of program as opposed to upon each load/call to the program. (that way you're not jipping unexperienced users, but of course is up to you)

Hopefully one of these methods will work for you, although they seem intermediate I'm surprised you haven't mentioned them, so perhaps this isn't what you're looking for.

Only one way to find out!

[ChrisCarlson]

What's the end goal for this? Why would you waste time developing simple to break security features when that time could be spent refining the lisp and utilizing the Exchange?

[Peter2]

The goal of it is to get the number of "clicks" (= calls of a program), to store it locally and to get it every month to create a "pay-per-use invoice". This is why the value must be stored.

...to break security features ....

Sorry, I don't understand. I don't want to break security features ...??

[Bhull1985]

I think he meant that it'd be possible for someone to go into the code and edit out the counter part, perhaps?

[Peter2]

I think he meant that it'd be possible for someone to go into the code and edit out the counter part, perhaps?

Yes, of course this could be possible - to hack it and remove the counter-code and the licence-code. This is why I'm aware that "secure" is not "secure", only "not (too) simple to hack".

[Bhull1985]

what about compiling the code beforehand?

[mjfarrell]

and why on earth, pay-per click?  I think this is a poor path to choose

[Peter2]

what about compiling the code beforehand?

You mean the code of my lisp? Yes, of course it will be compiled to VLX.

and why on earth, pay-per click?  I think this is a poor path to choose

Why?

[ronjonp]

and why on earth, pay-per click?  I think this is a poor path to choose

X2 ...

[dgorsman]

Might just be a terminology issue.  There's several professional packages which have a pay-per-use system, where the user purchases a "bucket of tokens" with each use drawing a certain number of tokens.

While there are a number problems to be addressed it makes for a good thought problem.

[Peter2]

...X2 ...

? ? ?

[ronjonp]

...X2 ...

? ? ?

I would not use a pay per click service .. can't describe why .. just wouldn't.
Does not really matter though, it's just my opinion. Carry on 

[VovKa]

Idea 3:
use INI plus REG with GUID in synchronization plus decryption
-> problem: ??

http://technet.microsoft.com/en-us/sysinternals/bb896645

[Peter2]

...it's just my opinion. Carry on 

It's OK, thanks. But I don't know what "X2" means ...

http://technet.microsoft.com/en-us/sysinternals/bb896645

Yes, also http://www.nirsoft.net/utils/reg_file_from_application.html
But in combination with decryption it could be one more barricade for the 'just-to-be-curious-about'-hacker.

Better solutions are still welcome!

[mjfarrell]

Why not use a pay-per click he asks?


A: Most want a fix cost on their solutions.  Most want to know how much this thing is going to cost them.

I would say put a value on it, sell it at that value.

AND

offer the option of Pay-per click and see how many want to deal with a recurring cost.

[Peter2]

...
A: Most want a fix cost on their solutions.  Most want to know how much this thing is going to cost them.
...

I agree with this considerations. But the challenge behind it is that this solution is a "one per company" solution. No matter if the have 2 or 200 employees - they need only one licence. And if you purchase a standard software you have "more employees - more licences - higher costs - higher values". The pay-per-usage should allow to follow this idea ....

[danallen]

Sounds like a common phone app economic model, free to download with some trial clicks, then option for in app purchases

[mailmaverick]

If a company has 200 computers it is cumbersome to count number of uses for each computer. Why don't you make a central server which is always online . Then sell ur program to each company with different unique code ( the unique code will be same within the company even if it has 200 computers but will be different for different companies).. Every time the program is run, it would send unique code to ur central server through internet and add 1 to the usage of that company. In this way you will always have record of number of uses done by each company.

Now how to do it ? The experts can tell.

[roy_043]

If you are looking for other measures against piracy consider using hard disk SerialNumber values and/or loginname values in combination with an encrypted file.

[Keith™]

First things first ... the OP asked about a simple and secure way of having a "pay per click" service for lisp, not about the merits of such a system.

That being said, the solution is that you can have simple or secure, but both together does not seem plausible. Let me explain why.

Lisp as a platform for development is not secure. You can compile the code to VLX, but VLX can be decrypted or you can obfuscate it and while that makes it difficult to read it does not make it too difficult to hack. Other options include creating special encryption for the core of the application, but that requires building an encryption/decryption function that a user could easily hack and subsequently use to decrypt the application and circumvent the security.

It was previously mentioned that perhaps you could use a server to track the usages, however, what if you used a server to manage the lisp core application and used a similar approach like this to retrieve the application and also use it to track usages. You wouldn't need to have the whole application on the server, only important parts that are critical to the operation of the program.

Now to the merits of such a system.
Some folks say that they would not use a "pay per click" application, and while that may be true, I think that in truth, they would in certain circumstances. Having a fixed cost system for unlimited access has its merits and is probably preferred in a high volume environment, but, for those environments where there is value in a "pay per click" usage scenario, it is a great solution.

All you need to do is look at the cell phone industry, and while it has migrated almost universally to the "unlimited access" model, there is still a thriving market for paying only for your usage. A clear example is my state issued cell phone. In the past, I used to ask the question: "In this modern time, why do we hear about government agencies back-charging employees for personal use of cell phones when an unlimited plan is so cheap and there is no additional charge regardless of usage?" The answer is (I found out recently) that most government phones are on a pay per unit schedule. My state bill hasn't exceeded $5 a month, but my personal bill is still $50 a month and I talk on my state phone more than I do my personal one!

The point is, a "per use" application makes sense in some cases, probably more often that most people would like to acknowledge ... but then people like the idea of paying a flat rate for something and not having to continually pay for it, even if it is more expensive. AutoCAD for example is nearly $2650 if you do the subscription, you pay each year ... for some folks that equates to a lot of "per drawing" expense. If Autodesk charged a reasonable "per drawing" fee instead of the $2650 per year, you can bet that people would jump on it, especially considering a subscription costs on average $100 per day, per employee. Suddenly a $10 or $20 per drawing fee doesn't seem so outrageous.

[ronjonp]

...
 especially considering a subscription costs on average $100 per day, per employee.
...

On the subscription plan we pay about $2 a day per employee 

[Keith™]

...
 especially considering a subscription costs on average $100 per day, per employee.
...

On the subscription plan we pay about $2 a day per employee 

Really? I guess it really does matter who you are ...

Autodesk lists the retail price of AutoCAD 2015 at just under $2650 per year per seat for subscription. With an estimated 260 work days per year, that is where the $100 comes from ... am I to understand that your firm pays a mere $500 per year per seat? What a bargain!

[snownut2]

Really? I guess it really does matter who you are ...

Autodesk lists the retail price of AutoCAD 2015 at just under $2650 per year per seat for subscription. With an estimated 260 work days per year, that is where the $100 comes from ... am I to understand that your firm pays a mere $500 per year per seat? What a bargain!

You seem to have misplaced a decimal point.....  2650/260=$ 10.19  :kewl:

[ronjonp]

...
 especially considering a subscription costs on average $100 per day, per employee.
...

On the subscription plan we pay about $2 a day per employee 

Really? I guess it really does matter who you are ...

Autodesk lists the retail price of AutoCAD 2015 at just under $2650 per year per seat for subscription. With an estimated 260 work days per year, that is where the $100 comes from ... am I to understand that your firm pays a mere $500 per year per seat? What a bargain!

You pay $2650 a seat per year on subscription ?

[Kerry]

<..> With an estimated 260 work days per year < .. >

I've always estimated a cost distribution spread over 230 days at best per year ... and usually do calculations on expecting 210.

let's see ..
(weeksPerYear - annualLeaveWeeks) * daysPerWeek - publicHolidayDays - sickies - ( meetings and coffee) - Mondayitis

[Keith™]

Really? I guess it really does matter who you are ...

Autodesk lists the retail price of AutoCAD 2015 at just under $2650 per year per seat for subscription. With an estimated 260 work days per year, that is where the $100 comes from ... am I to understand that your firm pays a mere $500 per year per seat? What a bargain!

You seem to have misplaced a decimal point.....  2650/260=$ 10.19  :kewl:

DOH!!! I guess simple math isn't my forte

I hereby change my opinion and ronjonp is automatically crowned King Archimedes II (or King Thales II if you are so inclined)

[mailmaverick]

Even after 26 replies,  the solution to OPs question is still a mystery.

[ronjonp]

Even after 26 replies,  the solution to OPs question is still a mystery.

It's not a mystery. . just not discussed.

[MickD]

Sometimes you need to make a compromise on security vs simplicity, is it really worth the extra work to make it secure only to have it cracked anyway?

If you spent say 100 hours developing and testing your licensing system at say $50 per hour that's $5,000 of wasted time & money! (and 100 hours doesn't go very far!)
This means you have more invested in your software and may need to up the price therefore making it not as attractive to the buyer. Not to mention the extra hassle the user has to go through to set it all up and for you to manage it.

The reality is if the price is very affordable and it is being used by 'proper' businesses they will be happy to pay, not only to avoid the legal problems of pirated software but you should also be offering support and other benefits for being a subscriber. Not only that they have a job to do and could not really justify the time spent cracking the software over doing billable work if the price is right.

Will the hackers be worth $5,000 worth of sales? Probably not and they would most likely crack it anyway so no money there.

You need to find a balance for 'breakages' if you like and figure that into your pricing plan, you won't win everyone over no matter what so keep it simple and just annoying enough to make it a pain if anyone becomes curious.

A binary or encrypted file could be enough, maybe a binary number in the registry? If it's imperative that you need to have it super tight I think you would be better off with another language or to at least have an arx/dll to do the licensing and 'per-click' monitoring and some core work for you, lisp is an easy crack as pointed out earlier.

Give users a very reasonable time trial so it becomes part of their workflow and they can see the benifits and as mentioned, try to create revenue from other services. Take the music industry these days, most struggling bands make more from merchandise after the concert than what they get paid for the gig. They have learned to work smarter with their audience, the hardest part is getting them there .

good luck.

[Peter2]

Hi

I was absent some days; now here is my recapitulation:

Use a server with always online-connection to the software:
Sounds "state of the art", but is not really "simple" and sometimes impossible (firewall, other security restrictions, connection failures, ..)

Lisp is not secure, everything can be hacked
Yes, but I act on the assumption that many users (companies) don't want to hack and don't know how to hack. And to modify a pure text counter (1, 2, 3, 4, ...) is the easiest "hack".

Pay per click is not a good solution
Depends on .... - see postings above

Earn money with other services; offer pay-per-click and non-pay-per-click
I have to think about it.

2650/260=$ 10.19
Yes.

Thanks for your postings; I have to think about the next steps.