When Propellerhead software released Record they resorted to a new copy protection scheme for their software: a dongle; also called an ignition key.
Many people have a love / hate relationship with the dongle as copy protection but in my opinion the Propellerheads have done very well to try and make this as pleasant as possible for us customers. Their copy protection scheme is provided by “Wibu systems” which software even allows us to make a backup of our license!
Unfortunately there is also something to dislike: this same software also allows everyone a certain amount of access to our license information when used with the default settings. There is no immediate risk mind you, no cause for panic. Still; I do think you might want to read on and tighten its security anyway.
Dongles and support software
Many software companies use dongles these days to protect their software from being copied illegally. The theory is simple: insert the dongle, start the program and the program will detect the dongle and the information on it. Based on that information the software will then know if its licensed to run or not.
However; its not so much the dongle we should be worried about, but the software which comes along with it. In most cases we’re provided with drivers and support software so that our operating system can manage the dongle appropriately. With the Propellerhead ignition key this software also allows us to copy our license from the Propellerhead website onto our dongle.
But there’s more…
The software being used is called CodeMeter and you’ll find it becoming active as soon as you insert the ignition key into your system, here you can see what its icon looks like on Windows’ system tray. Since I’m unfamiliar with MacOS I can’t comment on that environment.
The CodeMeter program has a main screen called the Control Center from which you can do some basic (and advanced) operations. You can (re)name your ignition key, you can import extra licenses, even defragment the ignition key. And you can check up on the programs preferences, and this is where the problem starts to surface.
For all interactive operations such as changing the CodeMeter program preferences or making a backup of your license(s) the software uses a web interface. This wouldn’t be much of a problem as long as the program didn’t ensure that everyone can access this web interface, even without so much as a password.
I’m not kidding you; when I installed Reason 6 this CodeMeter program obviously came along for authentication. During its installation it changed the Windows firewall to allow access to the port its using and instead of limiting access to my home network it setup public access instead:
And now we come to the big question; why this would be a problem…
Its not a major problem perse because fortunately for us there are plenty of safeguards. For example; you cannot restore licenses from a remote location, you cannot perform any writing actions (like making a backup) from a remote location, and so on. That is; when the software is being used normally.
But what would happen when hackers find exploitable code in there?
Let me be very clear here: I’m not insinuating that there is a problem with the current security model. However, I am stating that we’re taking risks which we don’t have to.
Protecting your license information
Its so simple that I can’t understand why this isn’t applied by default.
Like any webserver CodeMeter allows you to configure what kinds of network interfaces it should use. When you tell it to only use the so called ‘localhost’, which IP number is 127.0.0.1, you’re basically telling it that it should not listen to anything coming from whatever network you’re hooked up to, but only listen to requests which were made on your computer itself.
And no; this does not affect the way Reason (or Record) will gain access to your authentication data.
Here’s how you do it:
- Open the web interface by going to your CodeMeter control center and clicking “WebAdmin”.
- Another option is to open a browser and go to this URL: “http://localhost:22350/”.
- Click on the ‘configuration’ tab.
- Change the ‘Bind Address’ setting to 127.0.0.1 and click apply.
- Restart your computer.
After you’ve done all these steps then no one can ever access whatever information they might gain from this software.
How to backup your licenses
This is where the cool stuff begins, and it will show you why I truly think that Propellerhead software couldn’t have done any better (apart from not using a dongle):
If you make a backup for the first time you need to tell the software where it should store your backup, like so:
- Go to the web interface as explained before.
- Then go to the ‘Configuration’ tab and click the ‘backup’ option.
- Here you have an entry field called “Backup Path”. Fill out a directory where you want your backups to be saved (see above for an example).
Keep in mind that you only have to do these steps once. After this you can go straight into the web interface and start the backup. Even better: it can also make its own backups automatically:
- Open the web interface as before.
- Goto the ‘Content’ tab.
- Click the ‘Backup/Restore’ option.
- Now simply click ‘Backup now’.
The file will be stored into the directory which we setup earlier and will be called something like: “CM-Backup<ignition serial>-<full-date>.wbb”.
Where ‘ignition-serial’ and ‘full-date’ obviously stand for the serial number and the fully written out date and time (for example: “12Jul05-20-10-40”).
We may dislike the whole dongle key but as stated above I honestly think that Propellerhead software could have done a lot worse than they have now. The current setup allows for options which I think are quite rare when it comes to dongle-based copyright protection.
However; I do stand by my comments above: the software as a whole could have done much better to protect our license information.
Added to this: to some extend the same can be said about Propellerhead software themselves. Did you know you can password protect your license ?
That is for a next post; not to add to the suspense but because I’m wasted at the time of writing (you try living in Europe and blogging when its 30 degrees Celsius out there).
Yes.. I can’t stress this out loud enough: there is no imminent danger, ‘they’ are not knocking at your doorstep as we speak (but maybe I am ;)) and most of all: there is no cause for panic.
However; your license could be better protected and that’s why I wrote this all up. Why take the risk ?