Software insecurities & Piracy.

joePC

Hi all,

Just thought I'd raise the point about software cracking / Piracy, My point: All these companies developing software e.g. Norton, BIT, ISS, Microsoft, Adobe, ........ The list goes on.

All have yet to produce a system that cant be cracked, it makes me wonder. They spend millions developing software but add a simple Serial Key system to unlock the full version.

The reason I brought this up, I just finished downloading a program (Wont mention) Cost: $2400, Within 30 seconds I had the full version unlocked. A simply search gets me a valid Keygen. $2400 for free...... lol. I mean this is my point why dont they produce a more secure system. I dont aggree with software piracy at all but if companies like above are hoping everyone has the same view they are very much mistaken.

What are plps views on this would you / do you use unlicenced software?

Thanks JoePC

Note: This is in no way soliciting warez, The program mentioned has been uninstalled and company notified of Keygen.

Martyr

You can't really protect software against good crackers.
Best thing to do is disable some functionality, and i don't
mean by greying out menu items or, throwing a message
box up to the user if the software isn't registered.

Just don't include the code in compiled demo executable,
its the only way you can stop people ripping you off (if you're a developer)

Metamorphic/polymorphic programming is an interresting topic, which may help
against crackers, but its not something everyone can do.
And any engine available is usually flagged by some AV scanners.

About all you can do is completely leave the code out of demos.

As for copying CD/DVD's i'd say something could be developed, to last a few
years atleast using encryption.
Suppose that applies to software also..

When a company called BITARTS bought software from an argentinian
cracker 4 years ago.
It took other crackers 2 years to write a reasonable unpacker for it..so
companies need to look towards employing good crackers
to protect their software, maybe?

Cake Fiend

Send a thief to catch a thief. Noone would know better how to stop someone cracking your software than someone who's an expert in cracking software.

Capt'n Midnight

Funny that, M$ used not use serial numbers when there was competition. eg: DOS/Win3.x/Office4 etc. etc.
For everything up to 98 you have a one in seven chance of guessing a serial. (which is great if you don't want anyone buying from the competition - they can just borrow your CD and never have to learn how to use that nasty sw from your competitors)

Now that Dr Dos / Lotus / Ami Pro / Novell have been pushed off the front page and there is no one left to tempt to "try before you buy" the only market share is to force the pirates to buy licenses - hence activation.

I feel that the lack of copyright protection amounts to entrapment.

Look at AutoDESK - they used to use dongles until ruled out by US courts. so there are companies that have tried to protect their products. (actually with the exception of AutoCAD there seems to be an inverse correlation between the difficulty in copying commercial SW and it's desirability (am excluding games here) - the most heavily protected sw used to be that for niche markets !)

motherboards and processors and many HW devices have serial numbers so it's fairly easy to tie the legit sw to a PC - internet access means keys can be moved to other machines (invalidating the old one of course)

By contrast M$ put an add in an italian magazine showing what an windows OEM cert looked like - complete with a valid serial number

since most Kaaza downloads are borked that in part answers some questions.

since most people don't use 90% of the functionality in their software you don't always need the latest and greatest eg: www.openoffice.org / knoppix etc.

As for people cracking SW - the program can of course run check sums on it's self (all moot if the cracker can JMP past the checking routine)

Rev Hellfire

I think most companies realise that almost any system can be countered, and where a foolproof system is available the simple stealing of keys is used.
But interesting enough most companies (at least games) arent look to make something uncopyable, but rather to prevent its copying in the first few weeks of the products release at which point sales are at there highest, there after the importence of teh copyprotection drops, to the point that some compaies will remove it.

seamus

As people have said, it's almost impossible. The contention is between users privacy, and a vendor's right to verify that a product has been bought from them.

There is no program that can be made, that somebody can't modify for their own purposes. No matter how many software tricks you put in, at the end of the day, someone can sit down, decompile your program, strip it of its protection mechanisms and recompile it.

The two things that I see as the best ways of protecting a program are - encrypting all source code or source code certification.

But both rely heavily on implementing things which drastically reduce user's freedoms and pretty much let the corporations decide what you can and cannot buy.

Which no-one wants.

Rev Hellfire

Originally posted by seamus
encrypting all source code or source code certification

Ehh? What that give u.

seamus

Originally posted by Rev Hellfire
Ehh? What that give u.

Source code certification is something Microsoft and intel are already cooking up, using inbuilt hardware controls which check if the binary code attempting to run has been "certified" by microsoft as safe to run.
Now, essentially this will eliminate all viruses and cracked code, since they could never get their code certified. But it also allows microsoft to deny a cert to legitimate developers (Kill the open source movement, anyone?) and it also requires developers to get their code approved every single time they recompile. Anyone who's ever programmed knows that this sounds like a nightmare.

Encrypted source code would operate on a similar principle, but would eliminate Microsoft from the equation, instead using dual-key encryption to prove that the source code comes from the manufacturer, a bit like SSL over the web. The only problem being that everyone who wishes to execute code needs to apply for the cert (although it does allow one company to hold only a few certs, but compile hundreds of programs). Obviously the hardware needs to be in place in this case to only allow encrypted code to be run (otherwise crackers would just decrypt the code, then decompile it, modify it, and run it without encrypting it again).

Martyr

I don't think certification will work as it is intended against good crackers
or virus writers.
Some virus writer ..also author of NT rootkit talked about discovering
how they work, and simply fooling the checks very easily.

Checksums generated would need to be stored in PE file..so, if cracker
did change code in it, he could just recalculate the checksum and insert
it into the PE so everything would appear fine.

You can use encryption, but most crackers simply use the decrypt
routine to unpack the software themselves.