Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Program Security
#1
I saw a keygen for a certain program on this forum (more specifically keygen music) and I'm wondering how "secure" these programs are if the company can't even protect their own prop products. Why can't they establish a live SSL/VPN link during the authentication? I feel like an idiot for paying sticker price every year. Thoughts?
Reply
#2
My thought is you should just get a good free one. Like MSE
Reply
#3
.
Reply
#4
i have never paid for any program, still i spent a lot of money on maple... something here doesnt make sense Frown
Reply
#5
If you are asking for an antivirus program that is very good at what it does, I say go for "Avast!". Ive been using Avast for 3 years now, no issues. They give you a free 1 year license and you just re-up every year.
Reply
#6
Security is a lie.
The best you can do is protect something briefly, because the number of people who want in outnumber the amount of resources you can devote to preventing access.

There's virtually no way to make a product that can't be bypassed.
You add a CRC check to the program? Cracker changes the hash value it hunts for as part of the bypass.
You add a vpn check like you suggested, Cracker disables the check entirely, writes a local proxy for it, or otherwise bypasses it.
You use a basic serial number and regardless of how complex it is a cracker can decode what it's looking for and make a keygen for it because the program itself has to know what mix of parameters are acceptable and can be coerced into giving you the keys.
You use a combination approach and the cracker just applies a mix of all the above.
You add in a check every time it gets used to validate it as part of the check for updates, cracker just NOOPs that.
You only release full versions to paying customers via download or media, someone's gonna leak it, likely repacked minus any identifying info you may have put there to catch potential leaks.

This is a very dangerous topic to skirt here as we don't condone discussion regarding warez, but neither will we deny that's impossible to prevent or avoid.
Reply
#7
Eosian Wrote:This is a very dangerous topic to skirt here as we don't condone discussion regarding warez, but neither will we deny that's impossible to prevent or avoid.

That was going into my post, I just forgot to add it.
Reply
#8
Eosian Wrote:Security is a lie.
The best you can do is protect something briefly, because the number of people who want in outnumber the amount of resources you can devote to preventing access.

There's virtually no way to make a product that can't be bypassed.
You add a CRC check to the program? Cracker changes the hash value it hunts for as part of the bypass.
You add a vpn check like you suggested, Cracker disables the check entirely, writes a local proxy for it, or otherwise bypasses it.
You use a basic serial number and regardless of how complex it is a cracker can decode what it's looking for and make a keygen for it because the program itself has to know what mix of parameters are acceptable and can be coerced into giving you the keys.
You use a combination approach and the cracker just applies a mix of all the above.
You add in a check every time it gets used to validate it as part of the check for updates, cracker just NOOPs that.
You only release full versions to paying customers via download or media, someone's gonna leak it, likely repacked minus any identifying info you may have put there to catch potential leaks.

This is a very dangerous topic to skirt here as we don't condone discussion regarding warez, but neither will we deny that's impossible to prevent or avoid.
Correct, nothing is impossible to crack. However, software that are largely web-bound are much harder to crack due to the nature of memory hacking vs. web hacking.
Reply
#9
Not really relevant to what he was talking about.
The same could be said of client vs server side gaming as Nexon proves over and over.
Reply
#10
I feel like the least they could do is look up "(name of product) keygen" on Google ._.
Reply
#11
And what, change the security scheme again? And again? And again?

The point of application security isn't to make it unbreachable, it's to minimize the amount of theft.
That's why the cracks/keygens/etc tend to be version specific. Each time they release a new update most companies will change the security slightly to force the public to wait on a new crack or break down and buy it legit.

There'd be no value in a publisher just releasing updates that do nothing but change security. That's way too much hassle when they can just change the security in each legitimate update.
Reply
#12
larmie Wrote:I feel like the least they could do is look up "(name of product) keygen" on Google ._.

They could, but then what? They could order sites to take down this sort of thing, but not everyone will comply, and it's too simple to just re-upload elsewhere. They could threaten to sue, and even go through with it, but that won't do much good either. These are usually individuals who won't be able to cough any significant amount of compensation, and the best they might be able to hope for is a jail term to discourage people from cracking their stuff.

It's a futile game of whack-a-mole that takes up too much time and resources, and could leave you with a bad reputation if you stuff up and inconvenience legitimate customers with your security measures.
Reply
#13
Eosian Wrote:Not really relevant to what he was talking about.
The same could be said of client vs server side gaming as Nexon proves over and over.
He was referring to using the internet as a protection measure ("Why can't they establish a live SSL/VPN link during the authentication"). I pointed out that it can, in certain ways, be a protection (just not the way he was thinking).

Eosian Wrote:Each time they release a new update most companies will change the security slightly to force the public to wait on a new crack or break down and buy it legit.
Most companies I know, including relatively big ones (adobe, etc.) very rarely change security measures. I've seen applications where a simple search and replace worked for years, through several major version changes. It's simply not worth the programmers' time, as most of these companies rely on business customers who cannot legally use cracked versions.
Reply
#14
Kortestanov Wrote:most of these companies rely on business customers who cannot legally use cracked versions.

No one can legally use cracked versions and businesses are just as guilty as individuals of piracy otherwise the BSA would never have existed.
Reply
#15
Eosian Wrote:And what, change the security scheme again? And again? And again?

The point of application security isn't to make it unbreachable, it's to minimize the amount of theft.
That's why the cracks/keygens/etc tend to be version specific. Each time they release a new update most companies will change the security slightly to force the public to wait on a new crack or break down and buy it legit.

There'd be no value in a publisher just releasing updates that do nothing but change security. That's way too much hassle when they can just change the security in each legitimate update.

In fact you can use the same keys for every version of this program; not sure why there are different keygens. The same legitimate product key from three versions ago works just fine.

Rhayn Wrote:They could, but then what? They could order sites to take down this sort of thing, but not everyone will comply, and it's too simple to just re-upload elsewhere. They could threaten to sue, and even go through with it, but that won't do much good either. These are usually individuals who won't be able to cough any significant amount of compensation, and the best they might be able to hope for is a jail term to discourage people from cracking their stuff.

It's a futile game of whack-a-mole that takes up too much time and resources, and could leave you with a bad reputation if you stuff up and inconvenience legitimate customers with your security measures.

Yeah, but taking them down from sites like Youtube would at least avoid kiddies and warez n00bs from stealing software left and right. I'm not suggesting sending partyvans after these hackers (who's probably in Eastern Europe and China) but hunting down torrent trackers would minimize losses. Most people would choose to just fork up thirty bucks if they had to spend days to get the program for free.



I was thinking along the lines of Kortes and Eos; AhnLab has done a fair job of preventing hacking (at least some of the time) and they have their own suite of Internet Security programs. I was wondering if they were using the same HackShield type protection on their own programs.

Maybe the keys could be changed every time there's a definition/version check? The key is stored both locally and sent to a backup e-mail address and is invalidated in ten days. By replying to the e-mail you can ask for clemency so when you get a new PC you can use your old key. If you couldn't even access your e-mail account you have to confirm your personal information (incl. payment confirmation) to get a new key.
I read somewhere over a decade ago that the first thing you do to protect your passwords is to change them frequently. Good idea?

(was going to say something about BSA but Eos got there before me ._.)
Reply
#16
You're beating a dead horse here.
Hackshield is easily bypassed by people who know how and only checks for things that it's been specifically designed to look for, or Maple wouldn't be as overrun with hackers as it is.

As was already pointed out the only real secure way to handle an app would be do to it via cloud so that the "app" on the desktop is nothing more than an interface into the cloud where all the real logic gets done and then the app becomes untamperable with (unless you're stupid enough ala Nexon to let the app accept packets from the client without regard to whether or not those packets are appropriate).

Not all companies bother changing their schemes every version because a lot of them consider piracy inevitable and just go with it as a baked in operating cost loss. It just varies product by product and company by company.
Reply
#17
Eosian Wrote:No one can legally use cracked versions and businesses are just as guilty as individuals of piracy otherwise the BSA would never have existed.
I don't know pomegranate about law (and especially US law) so I might be wrong, but doesn't one have the legal right to modify his own computer's memory as he wishes as long as it is not distributed?
Reply
#18
Nope.
Title 1 of the DMCA prohibits "circumvent[ing] a technological measure that effectively controls access to a work"

That includes creating your own bypasses to give yourself access to functionality you have not paid for.

The BSA targets businesses who do that because it has more chance of getting damages than it would from an average user.
No one targets average users generally because they're not worth it, they go for suppliers who have bigger penalties and can be made examples of in the deluded attempt to "stop" it from happening.
Reply
#19
The DMCA really fails hard (must be one of the reasons it was made in the lolUSA Tongue).

The problem is that it turns almost everyone in the USA into a criminal. And the point of law it to make society a better place, not criminalize everyone and have only random people get caught.

Also, modifying a car is also illegal, since it's not allowed by the DMCA to:
"manufacture, import, offer to the public, provide, or otherwise traffic in" a device, service or component which is primarily intended to circumvent "a technological measure that effectively controls access to a work," and which either has limited commercially significant other uses or is marketed for the anti-circumvention purpose."

Since a car's parts and design are protected by copyright and the car is protected by screws to change those parts, it's illegal to unscrew them and replace them... unless you have permission from the maker to do so... :')
Reply
#20
Except copyright doesn't cover automobiles.
Copyright covers books, maps, dramatic works, paintings, photographs, sound recordings, motion pictures and computer programs.

Scope is relevant.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)