Author Topic: Multiple License Owners in 1 network  (Read 6865 times)

2015-02-26, 11:42:21

racoonart

  • Active Users
  • **
  • Posts: 1446
    • View Profile
    • racoon-artworks
two questions about licensing

1) I've successfully activated the license server in our network here running my own license(s). Now, what happens when the company buys additional licenses on another user account (different login credentials). Is there a way to add it to the current license server?

2) Is there a way to see how many licenses are currently used by which machines? If a workstation license is locked I'd want to be able to see which machine is using it.
Any sufficiently advanced bug is indistinguishable from a feature.

2015-02-26, 12:40:30
Reply #1

Ondra

  • Administrator
  • Active Users
  • *****
  • Posts: 9048
  • Turning coffee to features since 2009
    • View Profile
#1: this is currently not possible, there may be something as setting license server IP on client, or whitelisting IPs on server in the future. You can however get around it with creative use of firewall

#2: this is currently not possible to view, sorry
Rendering is magic.How to get minidumps for crashed/frozen 3ds Max | Sorry for short replies, brief responses = more time to develop Corona ;)

2015-02-26, 12:49:31
Reply #2

racoonart

  • Active Users
  • **
  • Posts: 1446
    • View Profile
    • racoon-artworks
Ok, thanks. So there is some space for improving the lic server in future versions ;)

Another very important point for me would be encrypted login data storage, for the lic server as well as for directly activated workstations/slaves. Currently everyone in the network could grab the txt with the login data and stop my subscription or add licenses online.
Any sufficiently advanced bug is indistinguishable from a feature.

2015-02-26, 14:32:16
Reply #3

Ondra

  • Administrator
  • Active Users
  • *****
  • Posts: 9048
  • Turning coffee to features since 2009
    • View Profile
some level of encryption can be done, but in the end, everything that is supposed to work automatically WILL be crack-able/extract-able.
Rendering is magic.How to get minidumps for crashed/frozen 3ds Max | Sorry for short replies, brief responses = more time to develop Corona ;)

2015-02-26, 15:31:19
Reply #4

racoonart

  • Active Users
  • **
  • Posts: 1446
    • View Profile
    • racoon-artworks
It's not about people trying to crack it, they will be able to do it anyways. It's just not a good idea to share my login details with everyone in the network (or who has access to a workstation or render slave) - for example student 2-week-interns. Someone can grab the info and activate his machine somewhere else and I can't do anything about it, I won't even notice since I'm not able to see where licenses are used.

Simple encryption keeps 99,99% of people locked out of my online account and costs almost nothing.
« Last Edit: 2015-02-26, 15:35:54 by DeadClown »
Any sufficiently advanced bug is indistinguishable from a feature.

2015-02-26, 16:40:37
Reply #5

Ludvik Koutny

  • VIP
  • Active Users
  • ***
  • Posts: 2557
  • Just another user
    • View Profile
    • My Portfolio
It's actually even worse. One who opens the file and grabs the login data can easily get to customer zone, log in, cancel any plans and also freely change the login password (which is used on computers as well), since password change does not even prompt for current password.

2015-02-26, 17:06:09
Reply #6

racoonart

  • Active Users
  • **
  • Posts: 1446
    • View Profile
    • racoon-artworks
Yes, I forgot that I could even change the password. That's quite a problem... but even if it would prompt for the current password, those people already used it for login anyways :D
« Last Edit: 2015-02-26, 17:10:39 by DeadClown »
Any sufficiently advanced bug is indistinguishable from a feature.

2015-02-26, 17:09:25
Reply #7

Ludvik Koutny

  • VIP
  • Active Users
  • ***
  • Posts: 2557
  • Just another user
    • View Profile
    • My Portfolio
Well, now we need to convince Ondra it's really a problem :)

2015-02-26, 17:12:48
Reply #8

racoonart

  • Active Users
  • **
  • Posts: 1446
    • View Profile
    • racoon-artworks
I hoped we already did O__o
Any sufficiently advanced bug is indistinguishable from a feature.

2015-02-26, 17:25:52
Reply #9

maru

  • Corona Team
  • Active Users
  • ****
  • Posts: 12711
  • Marcin
    • View Profile
Guys, maybe we should hide this discussion somewhere. :D
Marcin Miodek | chaos-corona.com
3D Support Team Lead - Corona | contact us

2015-02-26, 18:20:13
Reply #10

Ondra

  • Administrator
  • Active Users
  • *****
  • Posts: 9048
  • Turning coffee to features since 2009
    • View Profile
ok, so to clarify:
1) Most important: if a computer can activate license without you putting in the password, then the password can be extracted. Encrypting won't work since the encryption key would have to be also stored locally. BFU might not be able to do it on his own, but somebody could do a BFU-friendly application for that. Always bear that in mind. The only safe way is to use Box license or the licensing server.

2) The recommended solution in untrusted environment is using the licensing server. When using the licensing server (correctly ;)), there are no passwords stored on end-user machines, only on the server. There are no passwords being sent over the local network. The password is only sent from licensing server to our server, using standard HTTPS encryption, which is impossible to intercept without having access to the server or launching a very sophisticated man-in-the-middle attack.

3) Password is stored in plain text only when using the activation via CoronaActivation.txt file. If you input the login in 3ds Max activation dialog, it will get saved to HDD in encrypted form (which is still breakable! - see #1)

4) Even when using CoronaActivation.txt, you can delete the file after initial activation - the login will then be stored in breakable, but encrypted form (same as #3), and automatic extensions of the license will work

5) You cannot lock somebody out of his account without breaking into his email - since all passwords can be reset via emailed link.

6) You cannot order new stuff after breaking int somebody's account. You can only cancel his subscriptions (Corona will still work for the period that was already paid for)
Rendering is magic.How to get minidumps for crashed/frozen 3ds Max | Sorry for short replies, brief responses = more time to develop Corona ;)

2015-02-26, 18:31:24
Reply #11

Ludvik Koutny

  • VIP
  • Active Users
  • ***
  • Posts: 2557
  • Just another user
    • View Profile
    • My Portfolio
You are still missing the point. It's not about encrypting it so it's unbreakable. It's just about making it non human readable, so that anyone can not simply go to the folder, open the file and read login mail and password.

2015-02-26, 18:33:35
Reply #12

Ondra

  • Administrator
  • Active Users
  • *****
  • Posts: 9048
  • Turning coffee to features since 2009
    • View Profile
read #4 again
Rendering is magic.How to get minidumps for crashed/frozen 3ds Max | Sorry for short replies, brief responses = more time to develop Corona ;)

2015-02-26, 18:34:37
Reply #13

Ludvik Koutny

  • VIP
  • Active Users
  • ***
  • Posts: 2557
  • Just another user
    • View Profile
    • My Portfolio
That doesn't change anything on the fact login details should not be exposed anytime anywhere. The activation takes a while, before max starts up and reads the licence. Someone on the right place at the right moment can still take advantage of it.

It's kind of similar excude nVidia had when raysat.exe vulnerability was discovered. They just said "Sure, that's by design, and it's up to you to keep your network safe."

2015-02-26, 18:40:46
Reply #14

Ondra

  • Administrator
  • Active Users
  • *****
  • Posts: 9048
  • Turning coffee to features since 2009
    • View Profile
The communication with server cannot be intercepted in this mode either.

Why is it impossible to just activate Corona on a machine, deleting the file, and THEN letting your interns sit in front of that computer? What better solution would you propose? You need to input the password at some point somewhere. Pre-hashing or generating activation tokens would not help - then these tokens could be stolen instead of the password. I just dont see the problem here, there are plenty of ways to avoid it
Rendering is magic.How to get minidumps for crashed/frozen 3ds Max | Sorry for short replies, brief responses = more time to develop Corona ;)