Hi All

> > Doh, replied to Dave not the PICList..
>
> I never got this message. Strange. Oh well.

Yep, for some reason it bounced back to me yesterday as undeliverable.. Oh
Well.

> > > First off, you could just read the EPROM, but that requires
>
> You would store the code in the eeprom in encrypted format.
> You could use some fancy one way encryption thingy like winzip does on
> password protected files. Nobody has managed to break this yet as far as I
am
> aware. If you used the serial they entered as the encryption key to
decrypt
> the encoded data in the eeprom of the dongle then an invalid serial would
> still generate data to be sent back. This data is of course likely to
cause
> adverse effects when executed and would most likely result in a crash.

The problem is that at SOME stage, the code has to be decrypted and placed
in memory on the computer so it can run. That is when it gets grabbed.

Now, I'm not saying this is easy. But to a sufficiently determined attacker
this wouldn't pose much of a challenge. All the code and the keys to decrypt
it are in your software for the taking :)

As for Winzip, I'm not sure, but I know the encryption in PKZip is very
poor. If you know some "plain text" (data from the files in the ZIP, like
file headers in EXEs images, name of the company in the word doc etc) it is
possible to crack it in very little time. I read about it in "Applied
Cryptography" by Schneier.

> > > tool, far simpler to use software like "SoftICE" (If I
> > > remember correctly) and just dump a memory image of the
> > > running process once it has loaded the "secret code". Then it
>
> I have used SoftICE on many occasions. There are many ways around SoftICE.
> Also Sice does not handle self modifying code so well.
> Dumping the running process would not work as the program would attempt to
> overwrite the code with its code from the dongle on execution, messing
> everything up. Of course this could be removed, with a lot of patching.

Fair enough, I've never used it.. Just an example of the kind of software
that you can get to help.

The problem is that in doing this you are simply hiding behind obscure
activities, but it is all there for someone to get at. All they need is a
reasonable tool. Actually it isn't too difficult to write your own. Just
attach to the running process (under windows) as a debugger and you have
full access to it.

> > > Basically, there is one simple rule to software copy
> > > protection this - you can't do it unless you control and
> > > monitor the hardware (as in a PIC etc where you can prevent
> > > access to the code).
>
> I agree, there will always be people with a lot of free time
> on their hands. However, most crackers do not have much electronics
> knowledge. They think they can read a few web sites on cracking winzip and
mirc and
> be ready for the world. Of course, there are the few exceptions who are
> willing to spent unlimited amounts of time until they break it.. they
probably
> deserve the software though after all that effort. Still, nothing a new
> release of the software and dongle code wouldn't fix :)

They don't need ANY knowledge about electronics, they just observe the
software and find out what it is doing.

Unfortunately, those few that "deserve it for breaking it" distribute it.
Its a badge of honour to them. And the harder it is to crack the more renown
they become for it.

I don't condone software piracy, but if you've never done this before its an
eye-opener. Go to your favourite search engine (altavista, google etc) and
type the name of your "copy protected" software and crack as the search
terms. (eg "+Autocad +crack") and see how many hits you get.

> Also some dongle software update mechanism could be set up so
> the internal code for the dongle could easilly be 'patched' when new
software was
> released. Of course, without ever letting the users know it
> is the dongle being updated and not the software. Just to keep give the
> crackers an extra challenge.

You could, but again if they cracked the first version (and it is already
out there on the priate sites) they will simple use the same techniques to
crack the new version.

This is because the only trusted hardware you have is the dongle, but you
can't trust what is attached to it. The attacker can see and do anything the
like to the computer in an effort to break your copy protection. At some
stage the stuff in the dongle gets onto the computer in a runnable
(unencrypted) form and then they have it.

> > > The most (I have or would do) is put a decent serial
> > > number/key system in place. One that they can't simply
>
> Depends on the product. A ?20 ($28) product definately does not need a
> dongle costing nearly half as much to produce. However, a
> ?4000 ($5616) product only sold to a small aount of clients definately
> justifies the extra protection a dongle can provide.

I agree that some software is worth more then others and that deserved at
least an attempt to protect it. However I don't believe that dongles offer
much protection. They only frustrate your legitimate uses.

If you have only a small number of users it could be possible to customise
the software in some innocuous way that is hidden and also have their
details in it that are shown at a splash screen, then at least you know
where the pirate version came from. The cracker is likely to only work out
how to change the obvious customisation and will never know the other one is
there as it won't affect the software.

The only way I can think of to sell software without the risk of piracy is
to sell access to it on an Internet "Application Service Provider" that you
control. And this opens a whole new can of worms. How many people would use
an ASP to design their next products :) Who do you trust :)

> Well, these are just my opinions. I may, and probably am a
> lot of the time, be incorrect.

As these are just mine. :)

My favourite motto from when I did some computer security consulting was
"Security through obscurity is no security at all".

Maybe someone out there who is writing commercial software would care to
give their opinion and experiences?

Cheers,
Ash.

--
http://www.piclist.com hint: The PICList is archived three different
ways.  See http://www.piclist.com/#archives for details.