Re: Registration Code
Re: Registration Code
- Subject: Re: Registration Code
- From: Will Mason <email@hidden>
- Date: Sat, 13 Nov 2004 11:44:47 -0800 (PST)
- Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
Hard coding a string is a terrible idea. I couldn't agree more.
However, I was not suggesting hard coding a string. I was suggesting
hard coding a key to a cipher like Blowfish. Using RSA is a bit of a
weird idea because there's no need for asymmetrical encryption in this
case. A hard-coded binary key is not trivial to find unless you are in
the habit of sifting through all of an executable's data.
Will Mason
--- Matthew <email@hidden> wrote:
> Hardcoding is a terrible idea unless you're a little bit
> sophisticated
> with it. All hardcoded strings in a file can be read as plain text by
>
> simply using the 'strings' command in terminal. For example, typing
> 'strings myExecutable' gives me a list of all of the strings in it.
> Most will be library calls, etc. but you will certainly find that key
>
> with almost no effort if you know what to look for.
>
> Maybe think just a tiny bit harder and consider at least a cipher or
>
> use a package that does RSA. Having some construct that's like
>
> if (RegCode == "myHardCodedString") then unlock app
>
> is almost pointless.
>
> Matthew
>
>
> On Nov 13, 2004, at 3:12 AM, Will Mason wrote:
>
> >> I think developers spend too much time on those "funky
> registration
> >> code hiding things", but it's stolen time. Some people will always
> >> give
> >> away registration codes to friends. If you app is good and has an
> >> adequate price, there will also be many people who will buy it.
> >>
> >> So, in my opinion, we developers should spend more time in
> developing
> >>
> >> great applications, instead of non-working piracy protection
> things.
> >> ;-)
> >
> > I don't agree. I've spent most of my career working on security,
> and I
> > agree that it is impossible to secure an app 100%. However, you can
> > with minimal effort prevent 99% of attacks on your software. Even
> if
> > you encrypted the "secret" information using a key that was
> hard-coded
> > into your program you could prevent the vast majority of crackers
> from
> > achieving their goal. The attackers would have to hack in and find
> the
> > key. Most attackers are not willing to do that.
> >
> > My recommendation therefore is to encrypt your private information
> even
> > using a hard-coded key. Most crackers are too lazy to bother with
> > encryption even when it's so easily circumvented.
> >
> > I actually believe, probably because of my background in security,
> that
> > developers don't spend enough time on security. Most software would
> be
> > a lot more secure and equally easy to use if people took the time
> to
> > understand the basics of cryptographic algorithms and protocols.
> >
> > Just my opinion,
> > Will Mason
> >
> > _______________________________________________
> > Do not post admin requests to the list. They will be ignored.
> > Cocoa-dev mailing list (email@hidden)
> > Help/Unsubscribe/Update your Subscription:
> > email@hidden
> >
> > This email sent to email@hidden
> >
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden