Doh, replied to Dave not the PICList..

Sorry.

> -----Original Message-----
> From: Ashley Roll [mailto:ash@digitalnemesis.com]
> Sent: Friday, 3 August 2001 10:11 AM
> To: 'Dave@nti-uk.com'
> Subject: RE: [OT]:Dongle - aka node lock
>
>
> Hi everyone,
>
> > I reckon a really good dongle would be one that stored the
> > 'key' parts of the code internally. When a correct serial
> is passed to it
> > and verified it would return the correct, unencrypted code.
> Therefore a
> > cracker couldn't acheive anything as the program would be
> missing parts. A
> > nice 64k eeprom could store some essential code nicely
> hidden away from crackers.
>
> Nope..
>
> First off, you could just read the EPROM, but that requires
> tool, far simpler to use software like "SoftICE" (If I
> remember correctly) and just dump a memory image of the
> running process once it has loaded the "secret code". Then it
> is a simple matter to turn this back into an exe. May not be
> elegant, but no where near above the "bored student" level
> mentioned before :)
>
> Basically, there is one simple rule to software copy
> protection this - you can't do it unless you control and
> monitor the hardware (as in a PIC etc where you can prevent
> access to the code).
>
> I'm afraid that your only hope if you really want to sell
> secure software is to sell it preprogrammed onto a secure
> computer in a big unopenable box :) It would be a "server"
> and you would have "thin clients" that talk to it. These
> would be freely available, and are useless without the server
> :). Its then even better if this box is located on your
> premises, and your client access it through the internet.
> That's about as secure as your going to get.
>
> Now, securing a big box and computer so it can't be accessed
> by a user on the site is another problem :) The military use
> self destruct mechanisms, but I'm not sure how the regulatory
> authorities would like that :)
>
> Sorry to put a damper on the idea, but its better finding
> this out now then when your shipping the software :)
>
> The reasonable position that I can see is that you have to
> accept that people that really want to pirate your software,
> can and will. You just have to make the cost reasonable and
> the benefits of registration (updates, extra etc) appealing.
> The most (I have or would do) is put a decent serial
> number/key system in place. One that they can't simply
> generate keys for - which means a Public/Private key crypto
> system. If your particularly paranoid your application could
> require "internet" access periodically to authenticate its
> key against a central computer. But this is going to annoy
> your users almost as much as a dongle.
>
> Ash.
>

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.