Creating a SystemId from a mac address

RomanV · January 23, 2018, 8:28pm

In my app I use the hashed mac address of the network card to create a system ID.

Here’s what I did :

Dim n as NetworkInterface n = System.GetNetworkInterface(0) dim mac as string = n.MACAddress

For quite a long time it worked ok, with all users… but there is ONE guy with a windows laptop whose SysId has already changed two times now… incidentally it was the same computer were suddenly my app stopped working… pls look https://forum.xojo.com/45390-failed-to-locate-framework-dll/p1#p368559

Anyway… what could cause the SysId to change (other than replacing the network card) ?

Thanks
Roman

Javier_Menéndez · January 23, 2018, 8:53pm

Hi Roman,

You don’t need to change the network hardware in order to change the MAC address (is not that hard). In fact, you can manually do that; or via some apps / utilities that search to anonymize the user when accessing Internet.

Maybe he is running the app from a VM?

Javier

Tim_Parnell · January 23, 2018, 8:54pm

Especially on Windows you can change or spoof the MAC address.
Additionally, if their network configuration changes, the MAC address or order of NetworkInterfaces can change.

It has been mentioned throughout the forum in a few different spots that using the MAC address of one of the NetworkInterfaces is not a good system identifier.

Kimball_Larsen · January 23, 2018, 9:16pm

Not only all the above, but you are also using the 0th network interface that Windows reports… and it does not always report them all in the same order. The computer may have an ethernet jack, a wifi antenna, a bluetooth radio, other various internal ports / bridges, etc… ALL of those show up as a Network Interface at the OS level, and something as simple as a reboot may change the order they are reported, which would swap out the MAC address of System.GetNetworkInterface(0), as it reports a different physical or virtual device.

RomanV · January 23, 2018, 9:19pm

I get it guys… but if someone fakes their Mac addres he would STILL be unauthorized has he doesn’t know the list of authorized mac addresses in the server. He would still have to hack the server…

(also this are corporate pc’s… I don’t think no one will have time, or dare to mess trying to sppof the MAC address)

but anyway… Having that said this worries me a bit…

something as simple as a reboot may change the order they are reported, which would swap out the MAC address of System.GetNetworkInterface(0)

So what’s the alternative to identify a computer ?

Kimball_Larsen · January 23, 2018, 9:41pm

Windows (since Window 8, I believe) assigns a UUID value at install time to somewhere in the registry. That won’t change unless they wipe and re-install Windows from scratch. It’s not perfect, but it is far better than the MAC address.

I believe the registry key is: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MachineGuid

RomanV · January 24, 2018, 2:38am

Is the regkey not editable ?
Also I need support for windows 7…

Other ideas ?

Kimball_Larsen · January 24, 2018, 5:05am

I believe that editing the regkey will invalidate the windows registration, so it is less likely than a spoofed MAC address - particularly given your users are in a corporate environment.

However, that brings up another scenario: in a corp environment, often machines are imaged, which would mean multiple machines may have the same GUID, since they all use the same disk image to start.

Getting a good machine ID for Windows is more or less impossible. There are several approaches that have been discussed / used at length that you can find on this forum. MBS Plugins offers a way to get a unique machine ID in one of their plugins - but I found that even that has a tendency to change over time with Windows Updates, upgrading from Win 8 to Win 10, hardware changes, etc.

Here is the general approach I use to limit the number of physical installations of my app: Have your app create it’s own unique ID per machine when the app is first installed / run (or pull a fresh UUID from your registration server). Then have it record that somewhere that always stays with the installation, in the app’s database or tucked into the application data directory, etc. Any time an instance of my app starts up it bumps up against the registration server and says “hey, I’m license 1234, and my machine ID is {uuid generated at first install}. Here’s a bunch of other information that may also be useful in identifying me: my system name, my screen count and sizes, my windows system hard drive size in bytes, my Widows GUID (if it exists), all the MAC addresses for Wifi or Ethernet cards attached, etc.”

My registration server keeps track of all this, and I’ve built backoffice tools that let me quickly look at a user’s license and see a list of all the parameters reported by all the computers they have used. It’s obvious when a license has been abused, and I can easily contact the user to see what’s up or deactivate the license, etc.

Keep in mind that it is impossible to stop all piracy, and you will see diminishing returns on your efforts to thwart it. In my experience, most users are honest. Those that are not won’t pay for your app even if you do force it not to work until they do.

Asis_Patisahusiwa · January 24, 2018, 7:19am

I use BIOS serial number.

Javier_Menéndez · January 24, 2018, 9:50am

You may also consider my GuancheMOS plug-in: multiplatform, 32/64 bits compliant, and easy to implement.

Javier

Chris_Carter · January 24, 2018, 10:06am

In addition to the other points, a user may have a laptop with wifi but no built-in hardwired ethernet port, but use a USB pluggable ethernet connector sometimes. Without the USB-Ehternet device, interface(0 would be Wifi, but with the USB one plugged in it might be seen as interface(0) and the Wifi as interface(1)

Christian_Schmitz · January 24, 2018, 3:26pm

We have a few functions for this in SystemInformationMBS module in MBS Plugins.