My friend has a company that sells hardware products (like a finger print reader) to customers. In each of their machine, they embed an "encryption chip", which is like a dongle (but embedded into their product, not a usb stick): the software on machine queries certain information from the chip through encryption (both the software and dongle share the encryption key) to continue execution. This is mainly to prevent piracy (making a copy of the machine and software).
The problem is, these embedded dongles are purchased from third-party security companies. So there are pirates out there that purchase an embedded dongle from the same security company, then use a microscope to read the chip's actual content and that way they can fairly easily manage to get the encryption key, thus rendering the dongle embedded in the customer's product useless.
To resolve this issue, seems there are 2 ways:
1) Find a very reputable and professional security company that specializes in embedded dongles that can prevent this kind of very sophisticated "physical hacking"?
2) Use a type of CPU (or any other hardware component) with a unique serial id that can be read by the software, this way it binds each software to a unique machine. Similar to how ISP's bind the MAC address of your NIC to their server to prevent multiple PC's using the Interent (but those are easily broken by MAC spoofers that can CHANGE the MAC of a NIC).
Any other suggestions/guidance? Thanks!
Rule 1: Piracy cannot be prevented. There are no technical means possible that magically allow some person to use the product and some person not to use the product.
It's impossible to tell valid people from invalid people. They're all people. They always seem to know the passwords, have the dongles, be running on the approved CPU, have the right IP address, have the right shoe size.
Even fingerprints can be spoofed (watch Mythbusters for proof.)
This is a matter of trust, not technology. How does a machine know whom to trust?
In fact, it cannot know whom to trust. Only a person establishes a trusting relationship with another person.
Machines are just machines. Any time you allow one person to use the machine, another person can (and eventually will) gain access.
I've worked on a number of products with software and hardware measures to try to block piracy. Ultimately, you can't block pirates, because if they can't spoof the "key" they can just hack your code to skip the check for the key -- even if your code is compiled.
What you do achieve by using stronger anti-piracy measures is to inconvenience all your law-abiding customers and make it hard to use your product.
The best anti-piracy solution I know is to make a product whose value is access that the software gives to data or services not installed on the customer's machine. For instance, a license on an internet site that you control, so you can monitor customer's use of their license and disable it if you detect them trying to use their license illicitly.
Here is a very good DRM article:
http://www.authorama.com/microsoft-research-drm-talk-2.html
In DRM, the attacker is also the
recipient. It’s not Alice and Bob and
Carol, it’s just Alice and Bob. Alice
sells Bob a DVD. She sells Bob a DVD
player. The DVD has a movie on it –
say, Pirates of the Caribbean – and
it’s enciphered with an algorithm
called CSS – Content Scrambling
System. The DVD player has a CSS
un-scrambler.
Now, let’s take stock of what’s a
secret here: the cipher is well-known.
The ciphertext is most assuredly in
enemy hands, arrr. So what? As long as
the key is secret from the attacker,
we’re golden.
But there’s the rub. Alice wants Bob
to buy Pirates of the Caribbean from
her. Bob will only buy Pirates of the
Caribbean if he can descramble the
CSS-encrypted VOB – video object – on
his DVD player. Otherwise, the disc is
only useful to Bob as a
drinks-coaster. So Alice has to
provide Bob – the attacker – with the
key, the cipher and the ciphertext.
Hilarity ensues.
Just about the only way to limit pircay of your software is to obfuscate the activation/regiustration algorithm as much as possible. Here is how the big boys do it:
http://en.wikibooks.org/wiki/X86_Disassembly/Code_Obfuscation
DRM is bad for your customers and bad for you, and in the end, if your product is good enough, the pirates are going to get it.
So, if you can't win, why not join them?
Stop DRM. Watermark all copies individually and record who you sell what to. Don't tell them you did. Give them a license key.
Wait until the pirates start their operation.
Check the pirated copies, sue the company(ies) selling or leaking the code to the pirates for big cash. Unlike individuals, if they sold it, they must keep a record.
Related
Hie There Everyone !!!
So this question is about cellphone companies and 3rd party companies being able to lock/unlock a cellphone to/from a particular network. My question is how do they do it especially/given that the mobile handset is located in a particular country ?? Also given that a phone is Network locked, what exactly is locked ?? Is it the firmware or it's software that basically prevents you from using another SIM Card ?? Is there any hardware available to unlock your mobile device on your own and at what cost ??
Thanks Very Much, I hope I made myself clear in this question.
Locking a phone on a particular network is up to recently a matter of sim locking the phone. This means the firmware does a test on startup is the inserted sim belongs to a specific operator. Most of the time there is an official procedure to unlock the phone you can ask to your operator if yous had been a subscriber "long enough". The ere are also unofficial procedures which can be applied if you have the right software you have to buy. In Africa it's a real business people do in the street.
Some spartphone vendors can also lock their phones is they have specific commercial agreements with the operator. They do it on their centralized servers. Unlocking in this case is tricky, or even impossible.
We are wondering what's a good networking design for mobile games that have real time single player battles like Clash of Clans.
One option is to do the battle completely on client side, and send the result back to the server when the battle is done. However it seems this will allow cheating. Is there any security model to handle this? Technically hackers can do anything that your client can do, so
The other option is to do real time networking between client and server. But I'm not sure whether this is a good idea for mobile games considering various network conditions.
Does anyone know what's a good design here? How does Clash of Clans do it?
Until CoC developer officially speak about it, it won't be known well. I my thoughts, CoC is somehow free from cheating because it allows attacked players to see the replay of what the attackers did to them.
Doing real time networking is best for preventing from cheaters, but it will annoy some game players because Wifi and LTE network occur 40~150ms latency with 10~20% packet loss. Moreover, CoC game play will give game servers much load for running A* algorithm for each mob character. Unlike League of Legends, the navigation path in CoC is changed as each Wall is broken, so O(1) by adopting path table technique is not feasible.
I have few projects ideas that involve plugging a computer or an arduino to my landline phone (or just before it). For example, I would like to grab the caller ID sent when someone calls, do a lookup on the web or in an address book, and display the associated name on a LED screen.
The problem is that I can't find any resources on the protocols used for transmitting this caller ID, etc. I may have misused my google skills, so could anyone give me some pointers ?
I am particularly interested in all the protocols evolving around landline phones (caller ID forwarding/blocking, sending SMS, starting/ending a call, etc.). It is my understanding that while the long distance part (from central to central) is numeric, the signal reaching the phone on the customer side is still analogic. Is it true ?
The majority of public telephone networks (PSTNs) have a digital core (switch to switch) and an analogue edge (from the edge switch to your phone at home).
Business and large campuses (Hotels, Hospitals, Colleges - any large organization on a single or closely located sites) often will have a local phone system and switch (PABX) which will speak digitally to the edge exchange and which, increasingly, may speak digitally to the desk phones also.
There are actually a number of different standards in use for sending the CLI over the analogue circuit to your home phone depending on where you are and who your operator is - see the following link as a good starting point, although it is old and the links appear broken):
http://www.ainslie.org.uk/callerid/cli_faq.htm#Q_6
This one may also be useful:
http://www.tech-faq.com/fsk.html
Two types of problems I want to talk about:
Say you wrote a program you want to encrypt for copyright purposes (eg: denying unlicensed user from reading a certain file, or disabling certain features of the program), but most software-based encryption can be broken by hackers (just look at the amount of programs available to HACK programs to become "full versions". )
Say you want to push a software to other users, but want to protect against piracy (ie, the other user making a copy of this software and selling it as their own). What effective way is there to guard against this (similar to music protection on CD's, like DRM)? Both from a software perspective and a hardware perspective?
Or are those 2 belong to the same class of problems? (Dongles being the hardware / chip based solution, as many noted below)?
So, can chip or hardware based encryption be used? And if so, what exactly is needed? Do you purchase a special kind of CPU, special kind of hardware? What do we need to do?
Any guidance is appreciated, thanks!
Unless you're selling this program for thousands of dollars a copy, it's almost certainly not worth the effort.
As others have pointed out, you're basically talking about a dongle, which, in addition to being a major source of hard-to-fix bugs for developers, is a also a major source of irritation for users, and there's a long history of these supposedly "uncrackable" dongles being cracked. AutoCAD and Cubase are two examples that come to mind.
The bottom line is that a determined enough cracker can still crack dongle protection; and if your software isn't an attractive enough target for the crackers to do this, then it's probably not worth the expense in the first place.
Just my two cents.
Hardware dongles, as other people have suggested, are a common approach for this. This still doesn't solve your problem, though, as a clever programmer can modify your code to skip the dongle check - they just have to find the place in your code where you branch based on whether the check passed or not, and modify that test to always pass.
You can make things more difficult by obfuscating your code, but you're still back in the realm of software, and that same clever programmer can figure out the obfuscation and still achieve his desired goal.
Taking it a step further, you could encrypt parts of your code with a key that's stored in the dongle, and require the bootstrap code to fetch it from the dongle. Now your attacker's job is a little more complicated - they have to intercept the key and modify your code to think it got it from the dongle, when really it's hard-coded. Or you can make the dongle itself do the decryption, passing in the code and getting back the decrypted code - so now your attacker has to emulate that, too, or just take the decrypted code and store it somewhere permanently.
As you can see, just like software protection methods, you can make this arbitrarily complicated, putting more burden on the attacker, but history shows that the tables are tilted in favor of the attacker. While cracking your scheme may be difficult, it only has to be done once, after which the attacker can distribute modified copies to everyone. Users of pirated copies can now easily use your software, while your legitimate customers are saddled with an onerous copy protection mechanism. Providing a better experience for pirates than legitimate customers is a very good way to turn your legitimate customers into pirates, if that's what you're aiming for.
The only - largely hypothetical - way around this is called Trusted Computing, and relies on adding hardware to a user's computer that restricts what they can do with it to approved actions. You can see details of hardware support for it here.
I would strongly counsel you against this route for the reasons I detailed above: You end up providing a worse experience for your legitimate customers than for those using a pirated copy, which actively encourages people not to buy your software. Piracy is a fact of life, and there are users who simply will not buy your software even if you could provide watertight protection, but will happily use an illegitimate copy. The best thing you can do is offer the best experience and customer service to your legitimate customers, making the legitimate copy a more attractive proposition than the pirated one.
They are called dongles, they fit in the USB port (nowadays) and contain their own little computer and some encrypted memory.
You can use them to check the program is valud by testing if the hardware dongle is present, you can store enecryption keys and other info in the dongle or sometimes you can have some program functions run in the dongle. It's based on the dongle being harder to copy and reverse engineer than your software.
See deskey or hasp (seem to have been taken over)
Back in the day I've seen hardware dongles on the parallell port. Today you use USB dongles like this. Wikipedia link.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I suppose this question is a variation on a theme, but different.
Torrents will never replace HTTP, or even FTP download options. This said, why aren't there torrent links next to those options on more websites?
I'm imagining a web-system whereby downloaded files are able to be downloaded via HTTP, say from http://example.com/downloads/files/myFile.tar.bz2, torrents can be cheaply autogenerated and stored in /downloads/torrents/myFile.tar.bz2.torrent, and the tracker might be /downloads/tracker/.
Trackers are a well defined problem, and not incredibly difficult to implement, and there are many drop in place alternatives out there already. I imagine it wouldn't be difficult to customise one to do what is needed here.
The autogenerated torrent file can include the normal HTTP server as a permanent seed, the extensions to do this are very well supported by most, if not all, of the major torrent clients and requires no reconfiguration or special things on the server end (it uses stock standard HTTP Range headers).
Personally, if I setup such a system, I would then speed limit the /downloads/files/ directory to something reasonable, say maybe 40-50kb/s, depending on what exactly you were trying to serve.
Does such a file delivery system exist? Would you use it if it did: for your personal, company, or other website?
first of all: http://torrent.ubuntu.com/ for torrents on ubuntu.
second of all: opera has a built in torrent client.
third: I agree with the stigma attached to p2p. So much so that we have sites that need to be called legaltorrents and such like because by default a torrent would be an illegal thing, and let us not kid ourselves, it is.
getting torrents into the main stream is an excellent idea. you can't tamper with the files you are seeding so there is no risk there.
the big reason is not really stigma. the big reason is analytics, and their protection. with torrents these people (companies like microsoft and such like) would not be able to gather important information about who is doing the downloads (not personally identifiable information, and quickly aggregated away). with torrents, other people would be able to see this information, at least partially. A company would love to seed the torrent of an evaluation version of a competing companys product, just to get an idea of how popular it is and where it is getting downloaded from. It is not as good as hosting the download on your webservers, but it is the next best thing.
this is possibly the reason why the vista download on microsofts sites, or its many service packs and SDKs are not in torrents.
Another thing is that people just wont participate, and that is not difficult to figure out why because of the number of hoops you have to jump through. you got to figure out the firewall, the NAT thing, and then uPNP thing, and then maybe your ISP is throttling your bandwidth, and so on.
Again, I would (and I do) seed my 1.5 times or beyond for the torrents that I download, but that is because these are linux, openoffice that sort of thing. I would probably feel funny seeding adobe acrobat, or some evaluation version or something, because those guys are making profits and I am not a fool to save money for them. Let them pay for http downloads.
edit: (based on the comment by monoxide)
For the freeware out there and for SF.net downloads, their problem is that they cannot rely on seeders and will need their fallback on mirrors anyway, so for them torrents is adding to their expense. One more reason that pops to mind is that even in software shops, Internet access is now thoroughly controlled, and ports on which torrents rely plus the upload requirement is absolutely no-no. Since most people who need these sites and their downloads are in these kinds of offices, they will continue to use http.
BUT even that is not the answer. These people have in their licensing terms restrictions on redistribution. And so their problem is this: if you are seeding their software you are redistributing it. That is a violation of their licensing terms so if they host a torrent download and allow you to seed it, that is entrapment and they can be sued (I am not a lawyer, I learn from watching TV). They have to then delicately change their licensing to allow distribution by seeding torrents but not otherwise. This is an easy enough concept for most of us, but the vagaries of the English language and the dumb hard look on the face of the judge make it a very tricky thing to do. The judge may personally understand torrents, but sitting up their in the court he has to frown and pretend not to because it is not documented in legalese.
That there is the ditch they have dug and there they fall into it. Let us laugh at them and their misery. Yesterdays smart is todays stupid.
Cheers!
I'm wondering if part of it is the stigma associated with torrents. The only software that I see providing torrent links are Linux distros, and not all of them (for example, the Ubuntu website does not provide torrents to download Ubuntu). However, if I said I was going to torrent something, most people associate it with illegal downloads (music, video, TV shows, etc).
I think this might come from the top. An engineer might propose using a torrent system to provide downloads, yet management shudders when they hear the word "torrent".
That said, I would indeed use such a system. Although I doubt I would be able to seed at home (I found that the bandwidth kills the connection for everyone else in the house). However, at school, I probably would not only use such a system, but seed for it as well.
Another problem, as mentioned in the other question, is that torrent software is not built into browsers. Until it is, you won't see widespread use of it.
Kontiki (which is very similar to bittorrent), makes up about 10% of all internet traffic by volume in the UK, and is exclusively used for legal distribution of "big media" content.
There are people who won't install a torrent client because they don't want the RIAA sending them extortion letters and running up legal fees in court when they (the RIAA) break into your computer and see MP3 files that are completely legal backup copies of CDs that were legally purchased.
There's a lot of fear about torrents out there and I'm not comfortable with any of the clients that would allow even limited access to my PC because that's the "camel's nose in the tent".
The other posters are correct. There is a huge stigmata against Torrent files in general due to their use by hackers and people who violate copyright law. Look at PirateBay, that is all they "serve" are torrent files. A lot of cable companies in the US have started traffic shaping Torrent traffic on their networks as well because it is such a bandwidth hog.
Remember that torrents are not a download accellerator. They are meant to offload someone who cannot afford (or maybe just doesn't desire) to pay for all the bandwidth themselves. The users who are seeding take the majority of the load. No one seeding? You get no files.
The torrent protocol is also horrible for being so darn chatty. As much as 40% of your communications on the wire can be control flow messages and chat between clients asking for pieces. This is why cable companies hate it so much. There are some other problems of the torrent end game (where it asks a lot of people for final parts in an attempt to complete the torrent but can sometimes end up with 0 available parts so you are stuck with 99% and seeding for everyone).
http is also pretty well established and can be traffic shaped for load balancers, etc. So most legit companies that serve up their content can afford to host it, or use someone like Akamai to repeat the data and then load balance.
Perhaps its the ubiquity of http-enabled browsers, you don't see so much FTP download links anymore, so that could be the biggest factor (ease of use for the end-user).
Still, I think torrent downloads are a valid alternative, even if they won't be the primary download.
I even suggested Sourceforge auto-generate torrents for downloads, and they agreed it was a good idea.. but havn't implemented it (yet). Here's hoping they will.
Something like this actually exists at speeddemosarchive.com.
The server hosts a Metroid Prime speedrun and provides a permanent seed for it.
I think that it's a very clever idea.
Contrary to your idea, you don't need an HTTP URL.
I think one of the reasons is that (currently) torrent links are not fully supported inside web browser... you have to fire up the torrent client and so on.
Maybe is time for a little firefox extension/plugin? Damn, now I am at work! :)