Posting Etiquitte?

> The strength of the encryption isn't the issue here - as you say, RSA is

fine. The problem is how to keep secure the key that you're using to decrypt the data. The only really secure way to do this is via some sort of
activation scheme involving a remote server.

Aaah, that's were you haven't seen the whole point. It doesn't matter if
someone sees the decrypted data, the whole point is that none else will be
able to make a license file that can be decrypted with my public key. It
isn't possible to simply find the matching key if you have one of the is it?
Not that *I* am aware of anyway.

I had thought about that, but the idea is that when someone purchases
software, I would send them a license file encrypted with *my* private key,
only files encrypted with this key can be decrypted my the application. You
might be thinking that someone could simply crack the program to change the
key that is used to decrypt with, but that would cause my application to
fail as it is "strong named".

I know that *no* software is safe, even with a hardware dongle; software has
been cracked with ease/ But just by adding several layers it fends off the
less able crackers at least. One thing I'm not doing is buying a 3rd party
product, I wouldn't trust anyone else with the task, even if they are
"godlike" programmers.

The finny thing is that Microsoft PA is not a bad way of protecting
software, except for the fact that if you change your hardware configuration
beyond a certain threshold they will de-activate your software. This has
happened to myself before after changing and adding a few components, even
though I have an DELL OEM copy of XP that doesn't need activating my myself.
There are *some* protection software out there that employs similar methods
to PA and they use a points based method, if you change a major piece of
hardware more points are put towards the license being invoked, changing a
hard drive for example would add only a small number of points.

As one wise man once said, "It's all a load of bollocks!"

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

Nick,

Trying to reverse-engineer the private key is out of the question - no
hacker/cracker would be that stupid.

A much easier route is to use ildasm to disassemble your app, patch it in
the appropriate place and then ilasm it back into a normal (not
strong-named) assembly, which is then distributed. You can try to get around
this by creating a separate licensing assembly and then strong-naming both
of your assemblies and linking them together so that your licensing assembly
can be called only by your app. So then the cracker might need to
ildasm/ilasm both of your assemblies.

The assembly metadata that .NET provides makes reverse-engineering code a
relatively simple exercise. Even using a code obfuscator won't help you much
if all the cracker has to patch is the licensing part of your code.

But just by adding several layers it fends off the less able crackers at least. <<

It only needs a single cracker to break your scheme and distribute a cracked
program for everyone else to use. Windows XP activation, for instance, was
cracked within hours of the RTM being available.
One thing I'm not doing is buying a 3rd party product, I wouldn't trust

anyone else with the task, even if they are "godlike" programmers. <<

You are correct in not trusting some of the commercial copy protection
schemes, which are pure snake oil. But if you think that you can do better
than, say, a team of specialists who've studied this area for years, then
you're just peddling snake oil yourself.

Regards,

Mark
--
Author of "Comprehens ive VB .NET Debugging"
http://www.apress.com/book/bookDisplay.html?bID=128
"Nak" <a@a.com> wrote in message
news:eg******** ******@TK2MSFTN GP10.phx.gbl... The strength of the encryption isn't the issue here - as you say, RSA is
fine. The problem is how to keep secure the key that you're using to decrypt the data. The only really secure way to do this is via some sort of
activation scheme involving a remote server.

Aaah, that's were you haven't seen the whole point. It doesn't matter if
someone sees the decrypted data, the whole point is that none else will be
able to make a license file that can be decrypted with my public key. It
isn't possible to simply find the matching key if you have one of the is it?
Not that *I* am aware of anyway.

I had thought about that, but the idea is that when someone purchases
software, I would send them a license file encrypted with *my* private key,
only files encrypted with this key can be decrypted my the application. You
might be thinking that someone could simply crack the program to change the
key that is used to decrypt with, but that would cause my application to
fail as it is "strong named".

I know that *no* software is safe, even with a hardware dongle; software has
been cracked with ease/ But just by adding several layers it fends off the
less able crackers at least. One thing I'm not doing is buying a 3rd party
product, I wouldn't trust anyone else with the task, even if they are
"godlike" programmers.

The finny thing is that Microsoft PA is not a bad way of protecting
software, except for the fact that if you change your hardware configuration
beyond a certain threshold they will de-activate your software. This has
happened to myself before after changing and adding a few components, even
though I have an DELL OEM copy of XP that doesn't need activating my myself.
There are *some* protection software out there that employs similar methods
to PA and they use a points based method, if you change a major piece of
hardware more points are put towards the license being invoked, changing a
hard drive for example would add only a small number of points.

As one wise man once said, "It's all a load of bollocks!"

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

Hi Nick,

|| One thing I'm not doing is buying a 3rd party product,
|| I wouldn't trust anyone else with the task, even if they
|| are "godlike" programmers.

Not even one who eschews Option Strict On ?

|| You are correct in not trusting some of the commercial
|| copy protection schemes, which are pure snake oil.

I was going to offer to write you a protection scheme based on a
derivative of ASP but then I realised that that would probably just come out
as snake oil.

;-)

Regards,
Fergus

Hi Fergus,

Not even one who eschews Option Strict On ?
Then I *would* seriously consider it.
I was going to offer to write you a protection scheme based on a
derivative of ASP but then I realised that that would probably just come out as snake oil.

Don't you just hate it when you program snake oil, the keyboard gets all
greasy, I'm going to start programming with big rubber gauntlets I think :-)

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

Hi Mark,

A much easier route is to use ildasm to disassemble your app, patch it in
the appropriate place and then ilasm it back into a normal (not
strong-named) assembly, which is then distributed. You can try to get around this by creating a separate licensing assembly and then strong-naming both
of your assemblies and linking them together so that your licensing assembly can be called only by your app. So then the cracker might need to
ildasm/ilasm both of your assemblies.
Yup, I agree that no software is 100% safe unfortunately.
The assembly metadata that .NET provides makes reverse-engineering code a
relatively simple exercise. Even using a code obfuscator won't help you much if all the cracker has to patch is the licensing part of your code.
Yeah, that's one reason I'm not bothering with code obfuscation. That and
the obfuscators I have tried do not allow Strong naming.
It only needs a single cracker to break your scheme and distribute a cracked program for everyone else to use. Windows XP activation, for instance, was
cracked within hours of the RTM being available.
Yup, no software is safe, even the ones that employ hardware dongles.
You are correct in not trusting some of the commercial copy protection
schemes, which are pure snake oil. But if you think that you can do better
than, say, a team of specialists who've studied this area for years, then
you're just peddling snake oil yourself.
I personally don't believe that to be a problem, lack of experience doesn't
mean a product would be any less viable. Microsoft have thousands of
employees, billions pounds and years of experience but I would still rather
use competitive "freeware" alternatives against some of their "attempts" for
software. My opinion has always been that if you are able to do the
research correctly and analyse the pro's and con's too then you're always on
for a winner.

The problem with employing a web service is that I can't do that without a
"fanny on", I do not have a permanent IP address and I also have "Free" web
space, which means that I would have to write a locator file to my web site
every time my IP address changes just so the applications could find my web
service. As well as a web service lowering the security of my system, at
current I do not have anything like that running as I have had *enough*
problems with hackers in the past.

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"Mark Pearce" <ev**@bay.com > wrote in message
news:uK******** *****@tk2msftng p13.phx.gbl...

One thing I'm not doing is buying a 3rd party product, I wouldn't trust

anyone else with the task, even if they are "godlike" programmers. <<

Regards,

Mark
--
Author of "Comprehens ive VB .NET Debugging"
http://www.apress.com/book/bookDisplay.html?bID=128
"Nak" <a@a.com> wrote in message
news:eg******** ******@TK2MSFTN GP10.phx.gbl...

The strength of the encryption isn't the issue here - as you say, RSA is
fine. The problem is how to keep secure the key that you're using to decrypt

the data. The only really secure way to do this is via some sort of
activation scheme involving a remote server.

Aaah, that's were you haven't seen the whole point. It doesn't matter if
someone sees the decrypted data, the whole point is that none else will be
able to make a license file that can be decrypted with my public key. It
isn't possible to simply find the matching key if you have one of the is

it? Not that *I* am aware of anyway.

I had thought about that, but the idea is that when someone purchases
software, I would send them a license file encrypted with *my* private key, only files encrypted with this key can be decrypted my the application. You might be thinking that someone could simply crack the program to change the key that is used to decrypt with, but that would cause my application to
fail as it is "strong named".

I know that *no* software is safe, even with a hardware dongle; software has been cracked with ease/ But just by adding several layers it fends off the less able crackers at least. One thing I'm not doing is buying a 3rd party product, I wouldn't trust anyone else with the task, even if they are
"godlike" programmers.

The finny thing is that Microsoft PA is not a bad way of protecting
software, except for the fact that if you change your hardware configuration beyond a certain threshold they will de-activate your software. This has
happened to myself before after changing and adding a few components, even
though I have an DELL OEM copy of XP that doesn't need activating my myself. There are *some* protection software out there that employs similar methods to PA and they use a points based method, if you change a major piece of
hardware more points are put towards the license being invoked, changing a
hard drive for example would add only a small number of points.

As one wise man once said, "It's all a load of bollocks!"

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ "No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

Hi Mark,

|| I can't do that without a "fanny on",

Just for your information, this isn't an anatomical reference, as I first
thought, lol., nor a reference to a specialised server (same thing, really)
;-)

It means a lot of hassle.

Regards,
Fergus

> It means a lot of hassle.

LOL, as I said, it's a "fanny on"!

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

Hi Nick,

BIG LOL :-D

I usually put my keyboard into the washing machine at the end of every
week.

Regards,
Fergus

> I usually put my keyboard into the washing machine at the end of every

week.

LOL

What washing power do you use? Does it have a built in fabric softener? does
it get your whites whiter than white?

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

Nick,

My opinion has always been that if you are able to do the research correctly and analyse the pro's and con's too then you're always on for a
winner. <<

Maybe in some areas, but not in cryptography or implementation of
cryptography protocols. Here's industry expert Bruce Schneier's scathing
attack on DIY crypto schemes:
http://www.counterpane.com/crypto-gr....html#snakeoil

This is also slightly interesting, also from Bruce Schneier:
http://www.counterpane.com/crypto-gram-9811.html#copy

Regards,

Mark
--
Author of "Comprehens ive VB .NET Debugging"
http://www.apress.com/book/bookDisplay.html?bID=128
"Nak" <a@a.com> wrote in message
news:Or******** ******@TK2MSFTN GP10.phx.gbl...
Hi Mark,

A much easier route is to use ildasm to disassemble your app, patch it in
the appropriate place and then ilasm it back into a normal (not
strong-named) assembly, which is then distributed. You can try to get around this by creating a separate licensing assembly and then strong-naming both
of your assemblies and linking them together so that your licensing assembly can be called only by your app. So then the cracker might need to
ildasm/ilasm both of your assemblies.
Yup, I agree that no software is 100% safe unfortunately.
The assembly metadata that .NET provides makes reverse-engineering code a
relatively simple exercise. Even using a code obfuscator won't help you much if all the cracker has to patch is the licensing part of your code.
Yeah, that's one reason I'm not bothering with code obfuscation. That and
the obfuscators I have tried do not allow Strong naming.
It only needs a single cracker to break your scheme and distribute a cracked program for everyone else to use. Windows XP activation, for instance, was
cracked within hours of the RTM being available.
Yup, no software is safe, even the ones that employ hardware dongles.
You are correct in not trusting some of the commercial copy protection
schemes, which are pure snake oil. But if you think that you can do better
than, say, a team of specialists who've studied this area for years, then
you're just peddling snake oil yourself.
I personally don't believe that to be a problem, lack of experience doesn't
mean a product would be any less viable. Microsoft have thousands of
employees, billions pounds and years of experience but I would still rather
use competitive "freeware" alternatives against some of their "attempts" for
software. My opinion has always been that if you are able to do the
research correctly and analyse the pro's and con's too then you're always on
for a winner.

The problem with employing a web service is that I can't do that without a
"fanny on", I do not have a permanent IP address and I also have "Free" web
space, which means that I would have to write a locator file to my web site
every time my IP address changes just so the applications could find my web
service. As well as a web service lowering the security of my system, at
current I do not have anything like that running as I have had *enough*
problems with hackers in the past.

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"Mark Pearce" <ev**@bay.com > wrote in message
news:uK******** *****@tk2msftng p13.phx.gbl...

One thing I'm not doing is buying a 3rd party product, I wouldn't trust

anyone else with the task, even if they are "godlike" programmers. <<

Regards,

Mark
--
Author of "Comprehens ive VB .NET Debugging"
http://www.apress.com/book/bookDisplay.html?bID=128
"Nak" <a@a.com> wrote in message
news:eg******** ******@TK2MSFTN GP10.phx.gbl...

The strength of the encryption isn't the issue here - as you say, RSA is
fine. The problem is how to keep secure the key that you're using to decrypt

the data. The only really secure way to do this is via some sort of
activation scheme involving a remote server.

Aaah, that's were you haven't seen the whole point. It doesn't matter if
someone sees the decrypted data, the whole point is that none else will be
able to make a license file that can be decrypted with my public key. It
isn't possible to simply find the matching key if you have one of the is

it? Not that *I* am aware of anyway.

I had thought about that, but the idea is that when someone purchases
software, I would send them a license file encrypted with *my* private key, only files encrypted with this key can be decrypted my the application. You might be thinking that someone could simply crack the program to change the key that is used to decrypt with, but that would cause my application to
fail as it is "strong named".

I know that *no* software is safe, even with a hardware dongle; software has been cracked with ease/ But just by adding several layers it fends off the less able crackers at least. One thing I'm not doing is buying a 3rd party product, I wouldn't trust anyone else with the task, even if they are
"godlike" programmers.

The finny thing is that Microsoft PA is not a bad way of protecting
software, except for the fact that if you change your hardware configuration beyond a certain threshold they will de-activate your software. This has
happened to myself before after changing and adding a few components, even
though I have an DELL OEM copy of XP that doesn't need activating my myself. There are *some* protection software out there that employs similar methods to PA and they use a points based method, if you change a major piece of
hardware more points are put towards the license being invoked, changing a
hard drive for example would add only a small number of points.

As one wise man once said, "It's all a load of bollocks!"

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ "No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\