Suppose my customers are offline customers (Don't have Internet connection). So I want my employees to install the software. My application runs in linux server and I have a script that install the required software and my application into the system.
Biggest problem is that my employees can steal the software and sell it to other customers.
I was thinking some security mechanism to protect from stealing the software.
The entire script can not be copied from the Pen drive into the server
I shall zip and make my scripts and installers password protected and the password will expire after unzipping the folder into the pen drive.
The problem is I was didn't get any suitable example/tool in google to expire my zip file exactly after one use in Ubuntu/Linux. Almost whole day i have done my research on this but didnt get any clue on this.
Can someone help me out if you have prior experience on this or any better idea is appreciated.
Please note: I know that if someone is trying to steal/break my software means it is a good software blah blah blah...... idea. So any opinion or direction is much appreciated
Related
Just made an installer (using QTIFW) for my Qt project but when I tried to install it on other machine the 360 Total Security interrupted the installation process.
It pops up and complains about d3dcompiler_47.dll, asking the user to allow/block the file. If user do nothing, or don't allow, it
seems to be preventing QTIFW of writing it as part of the application installation.
That led to following error
Can't create C:\Program Files\company\project\d3dcompiler_47.dll"
That's quite terrible. I'm wondering how to deal with this situation?
False Positives: False positives from maleware scanners can be quite hard to deal with. To check using more than one malware scanner you can upload the release files individually as well as the complete setup to https://www.virustotal.com. This service runs many malware scanners on the submitted files so you can see what malware scanners flag which binary. There are a few other such anti-malware online scanners such as Kaspersky, Avira, etc...
Update: And then there is Process Explorer. Check this tweet chain for how to check your running application for malware hits per process and loaded file.
When you see the scope of the problem (how many files are flagged), you should work backwards to see how you could go about solving the problem. This can involve getting the files whitelisted by the malware vendor(s), eliminating them from your setup, or fixing technicalities that flag the files, etc... There are some options listed and elaborated below.
Fixes: There are both technical and practical fixes you can try. Don't expect it to be easy. The issue of false positives is a very serious deployment problem. The proposed fixes and workarounds below are in random order:
Compiler Settings: Sometimes you can actually choose different compiler settings to avoid the problem, but often you are not so lucky. I have seen this with files compiled with special Spectre / Meltdown mitigation settings. They were flagged as unknown by malware scanners.
Dangerous API-calls: You should also check what API-calls are made in the problem file(s) that could be known to cause security warnings (unusual and / or dangerous API-methods) - and remove them if you can. I have heard of cases where malware vendors want to refuse to whitelist your binary because what the binary does makes no sense to them (try calling a firmware update for an embedded system as part of your setup installation or some low-level call triggered by a security tool you are installing).
Eliminate Files: Removing certain components from your application can also help sometimes - especially if they are third-party components added to your application for convenience only. In other words your application works fine without them. Removing a problem can be much simpler than fixing it.
Vanilla Installer: Sometimes you can split problem components into a separate setup so your main setup installs without issues. This can help enormously with support issues or overall application approval in corporate settings. You can also make 2 full setups where one has all probable false-positive triggers removed - your "vanilla setup" that should install without drama in all cases.
Digital Signatures: Signing the file with a digital signature can help since a proper certificate "buys trust outright" in reputation-based score systems such as Microsoft SmartScreen. Note that this needs to be an EV-level certificate. Please check for updated information here as technology evolves. Certificate / signing technologies always seem to cause something unexpected.
Malware Scanner Whitelisting: Submit file for white listing. Then there is the formal approach with the malware vendors as explained by Bogdan Mitrache of Advanced Installer here: Antivirus Whitelisting Pains. You submit files to them for white-listing. The article explains real-world experience with binaries flagged as malware when delivering software. Mandatory reading.
Microsoft SmartScreen: Microsoft has their own way to submit files for analysis and white-listing: https://www.microsoft.com/en-us/wdsi/filesubmission. They state: "Microsoft security researchers analyze suspicious files to determine if they are threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe have been incorrectly classified as malware.".
Unique Executable Per Customer: Sometimes a unique executable is used for every customer by auto-generating an installer for each sale. I would advise against this since the installer executable - even when signed - will be a "new encounter" for malware scanners. You could run into trouble you do not need. There is also an added risk for each generated installer executable to actually be infected by real malware, and there is also the QA-issue that every installer should be tested before release.
Signed Malware: Whatever you do, make sure the file in question isn't actually real malware! Obviously your own files can get infected. Test well. If you sign malware and deliver to your client the digital signature is proof positive that you delivered the malware to them. Not good. And then.
More on Digital Signatures: Some information and links to get your setup and / or files signed:
https://www.advancedinstaller.com/user-guide/faq-digital-signature.html
https://knowledge.digicert.com/generalinformation/INFO1119.html
https://www.thawte.com/resources/getting-started/how-code-signing-works/
Installshield Custom Dialogue Installer
So I'll be honest right up front. I know what the end product I need is, but I'm not 100% sure how to get there. Please read on so I can fully explain my situation and also some ideas I tried. I was torn between whether I should send this to a gaming form or to here. Considering that this is more "backend" related tho I opted to send it here.
So here's my dilemma. I'm not gonna bother explaining why because it isn't necessary, but essentially, I'm a sys admin for a minecraft server. We work on extremely high quality productions generally including custom coded systems and resourcepacks. One of the biggest problems we have is other individuals coming on to our networks and looking through our resourcepacks (which, if you aren't familiar, resourcepacks are sent from the server to the client as a .zip)
So essentially a individual from, say, a rivaling network comes onto ours and will snoop around our resourcepacks and uncover cool techniques or technologies that we develop. Only for us to later see those technologies implemented elsewhere!
A number of days ago I stumbled across a network which actually have managed to encrypt their resourcepacks so that it's not possible to snoop around them (via extracting them. Remember, these are archive files). When you try to extract or make any other changes to the archive, it will return a 80004005 error which I've come to learn is related to operating system permissions.
So here's what I'm looking for:
How can I encrypt a ResourcePack, or rather, an archive (specifically a .zip) but still have it be readable by Minecraft?
It's that second half which has stumped me.
I've already been able to encrypt a resourcepack myself (using WinZip) which recreated the 80004005 error as well as expected results (like not being able to copy files from inside of the archive for example.) However, obviously because the file is encrypted, there isn't any way for minecraft to read it!
And since the original network's file is encrypted (which I did reach out to them to see if they'll talk to me about how they implemented this feature) there's no way that I know of to reverse engineer the encrypted archive to figure out what method they used.
To reiterate, I have no interest in obtaining the contents of this other network's resourcepack. Rather I'm only interested in figuring out how to be able to encrypt/lock my own network's resourcepacks so that other's can't access it, but Minecraft can.
I'm already well aware that this question is outside of the realm of what we normally see on this website. I'm seriously taking shots in the dark to figure this cool technology out since file encryption and system permissions stuff is not exactly down my alley.
Like I said, 0 confidence on this topic, hopefully I gave enough details for you to help me out!
Even if you may not know much about Minecraft as a game. But have insight into how programs might be able to access an encrypted file while users can't (specific protocols to look into maybe?) I'm hoping I can get at least enough information to piece together the answer I need! Thank you again for your help!
This is completely impossible. In this case, not only do you have the standard reasons that effective DRM is impossible, but also that Minecraft only knows how to open completely normal .zip files. As for this:
A number of days ago I stumbled across a network which actually have managed to encrypt their resourcepacks so that it's not possible to snoop around them (via extracting them. Remember, these are archive files). When you try to extract or make any other changes to the archive, it will return a 80004005 error which I've come to learn is related to operating system permissions.
You've misunderstood what's going on here somehow. They didn't encrypt anything. If you post a new question (probably on a sister site and not this one) with the details of exactly how to get that .zip and the steps you followed, someone will be able to explain the real reason why you couldn't extract it at first.
penetration testing is a small hobby of mine, so I don't have a lot of experienced doing it. Keep that in mind when answering please.
I recently came across a network, where access to the C drive was blocked, so you couldn't access it by typing a path into Windows file manager, but there are some shortcuts on the desktop (which are the same and unchangeable for every standard user like me on the network), eg Photoshop, which if you do view file location on, you get into the C drive, and can navigate wherever you want. This made me think that that file viewer, which has access to the C drive has something special about it, and that I might be able to use it for some sort of privilege escalation, but being an amateur, I don't know if I'm correct, and I wouldn't be able to capitalise on it even if I was correct.
If someone could explain this to me, I would highly appreciate that. P.S.: the programming language I know best is python, and I have experience in using Kali Linux (I have a live bootable USB)
We need to be able to supply big files to our users. The files can easily grow to 2 or 3GB. These files are not movies or similiar. They are software needed to control and develop robots in an educational capacity.
We have some conflict in our project group in how we should approach this challenge. First of all, Bittorrent is not a solution for us (despite the goodness it could bring us). The files will be availiable through HTTP (not FTP) and via a filestream so we can control who gets access to the files.
As a former pirate in the early days of the internet i have often struggled with corrupt files and using filehashes and filesets to minimize the amount of redownload required. I advocate a small application that downloads and verifies a fileset and extracts the big install file once it is completely downloaded and verified.
My colleagues don't think this is nessecary and point to the TCP/IP protocols inherit capabiltities to avoid corrupt downloads. They also mention that Microsoft has moved away from a downloadmanager for their MSDN files.
Are corrupt downloads still a widespread issue or will the amount of time we spend creating a solution to this problem be wasted, compared to the amount of people who will actually be affected by it?
If a download manager is the way to go, what approach would you suggest we take?
-edit-
Just to clearify. Is downloading 3GB of data in one chunk, over HTTP a problem OR should we make our own EXE that downloads the big file in smaller chunks (and verifies them).
You do not need to go for your own download manager. You can use some really smart approach.
Split files in smaller chunks, let's say 100MB each. So even if a download is corrupted, user will end-up downloading with that particular chunk.
Most of web servers are capable of understanding and treating/serving range headers. You can recommend the users to use download manager / browser add-ons which can use this capacity. If your users are using unix/linux systems, wget is such a utility.
Its true that TCP/IP has capacities of preventing corruption but it basically assumes that network is still up and accessible. #2 mentioned above can be one possible work-around to the problems where network was completely down in middle of download.
And finally, it is always good to provide file hash to your users. This is not only to ensure the download but also to ensure the security of the software that you are distributing.
HTH
We are having an application that is downloadable. We want to stop the application being reverse engineered by someone to lose our business. It there any way to stop this?
What do you mean by an downloadable application? You are talking about ASP.NET applications in the title of the question, but that's not a kind of application which can be downloaded. If you have a Console/WinForms/WPF-Application that has compiled binaries, you could use code obfuscation tools to make reverse engineering harder.
Best Regards
Visual Studio (usuall) comes with Dotfuscator (community edition). Look in your Visual Studio Tools program files entry.
PreEmptive Solutions’ Dotfuscator is
the leading .NET Obfuscator, Compactor
and Watermarker that helps protect
programs against reverse engineering
while making them smaller and more
efficient. Dotfuscator Professional
Edition is designed to stop even the
best of decompilers from producing
useful output. It provides
comprehensive and efficient .NET code
development and deployment.
I've had a similiar problem. I had a server based piece of software that was loaded onto a server within the customer's premises. This meant anyone half technical could copy the files from the server onto disk and re-install with some know-how onto another server. Basically, stealing my work.
I wrote in numerous measures, I obfuscated the code and I put hooks into all corners of the server (registry, database, root of drive) so if the code was installed elsewhere the system wouldn't find these items and lock itself up. I even went to the lengths of self encrypting some of the source files and then deleting the encryption tool itself. Unfortunately, if anyone wants to steal the software however, they still can. You have to realistically judge how much effort you must put it to stop a percentage of thefts. I love Roeder's Reflector, but it's programmes like this that allow a competent programmer an insight into your protection code and circumvent it.
Have you looked at 3rd party products like Xheo: http://www.xheo.com/products/codeveil/?gclid=CL-Tjoye7psCFdYB4wodHGVZAQ?
I found this on SO too: Protect ASP.NET Source code
I hope this helps.