Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Preventing Software Piracy ???

0 views
Skip to first unread message

Peter Olcott

unread,
Jun 18, 2009, 6:20:39 PM6/18/09
to
What are some of the best products available?


Martin

unread,
Jun 18, 2009, 6:42:59 PM6/18/09
to
Peter Olcott wrote:
> What are some of the best products available?

I find thumb-screws and hot pokers work quite well.

For goodness sake, what a stupid thing to post without any kind of context.

Peter Olcott

unread,
Jun 18, 2009, 10:39:11 PM6/18/09
to
"Martin" <usen...@etiqa.co.uk> wrote in message
news:4a3ac2f4$0$18248$da0f...@news.zen.co.uk...

Copy protection software and hardware systems such as these:
http://www.strongbit.com/execryptor.asp
http://rockey.com.my:80/prod-dongle-rockey6.php

What else is available? How well do these two work?


David Woolley

unread,
Jun 19, 2009, 4:01:40 AM6/19/09
to
How much is your typical customer prepared to spend on breaking them?

How much does the product sell for?

How technically sophisticated are they?

Is there an open source competitor?

How ethical are they?

Are they in a mass market?

Are they in a sort of market that would monitor cracking site?

Is this the sort of market (e.g. like popular music) where the public
perception of what the law should be is much more liberal than what it is?

How much are they prepared to put up with in terms of increased
unreliabilty, inflexibility and built in obsolescence?

What is the useful life of the product?

[Pruning neesgroups; bogus newsgroup; nested scope ]

Martin

unread,
Jun 19, 2009, 6:22:30 AM6/19/09
to

The context should have been along the lines of

"I'm an IT manager and want to stop my users from installing pirate
software ..."

"I want to prevent my kids from ..."

"I'm a software developer working in/on ... and I want to ..."

"I want the ability to scan a network to determine ..."

>
>

Peter Olcott

unread,
Jun 19, 2009, 11:01:46 AM6/19/09
to

"Martin" <usen...@etiqa.co.uk> wrote in message
news:4a3b66e6$0$18249$da0f...@news.zen.co.uk...

My last message was as completely unambiguous as anyone
could possibly be, you are just being too picky.


Peter Olcott

unread,
Jun 19, 2009, 2:31:42 PM6/19/09
to

"David Woolley" <da...@ex.djwhome.demon.co.uk.invalid> wrote
in message news:4a3b45e4$0$510$5a6a...@news.aaisp.net.uk...

> Peter Olcott wrote:
>> "Martin" <usen...@etiqa.co.uk> wrote in message
>> news:4a3ac2f4$0$18248$da0f...@news.zen.co.uk...
>>> Peter Olcott wrote:
>>>> What are some of the best products available?
>>> I find thumb-screws and hot pokers work quite well.
>>>
>>> For goodness sake, what a stupid thing to post without
>>> any kind of context.
>>
>> Copy protection software and hardware systems such as
>> these:
>> http://www.strongbit.com/execryptor.asp
>> http://rockey.com.my:80/prod-dongle-rockey6.php
>>
>> What else is available? How well do these two work?
> How much is your typical customer prepared to spend on
> breaking them?

If a system can be devised that is uncrackable (like rockey6
may be) this is moot.

>
> How much does the product sell for?
>

The price range for products in this category is $500 to
$20,000 per seat.

> How technically sophisticated are they?

If a system can be devised that is uncrackable (like rockey6
may be) this is moot.

>
> Is there an open source competitor?

No

>
> How ethical are they?
Varies too much to say. Client base probably has above
average ethics.

>
> Are they in a mass market?

Nche market.

>
> Are they in a sort of market that would monitor cracking
> site?
>

I don't know what this means.

> Is this the sort of market (e.g. like popular music) where
> the public perception of what the law should be is much
> more liberal than what it is?

No.

>
> How much are they prepared to put up with in terms of
> increased unreliabilty, inflexibility and built in
> obsolescence?

Copy protection schemes will probably be well tolerated
because available alternatives are very few.

life of the product?

However long graphical user interfaces are the norm, in
other words very long.

Doug McIntyre

unread,
Jun 19, 2009, 3:00:01 PM6/19/09
to
"Peter Olcott" <NoS...@SeeScreen.com> writes:
>If a system can be devised that is uncrackable (like rockey6
>may be) this is moot.

Nothing is uncrackable.

Everything can be cracked given enough motive and time and effort.
(including all of these obscuration exe packers). Ie. look at
Microsoft's software, which has a very high value of being copied, has
millions of $$ devoted to protection, and yet, crackers are still able
to use a variety of methods to get around copy restrictions in it.
Granted, alot of the methods lately require quite some hoops to jump
through now.

The main questions they are asking you about how much motive somebody
may have for what value you place on it. You're giving answers all
over the place to the point of being totally vague.

This sort of thing is totally about cost of protection vs. value received.
There is no one set answer cure all. Its all a tradeoff.

Also realize, you aren't talking amongst software developers here, but
people that study security in many different forms.

Peter Olcott

unread,
Jun 19, 2009, 3:32:15 PM6/19/09
to
"Doug McIntyre" <mer...@geeks.org> wrote in message
news:4a3be031$0$18867$8046...@newsreader.iphouse.net...

> "Peter Olcott" <NoS...@SeeScreen.com> writes:
>>If a system can be devised that is uncrackable (like
>>rockey6
>>may be) this is moot.
>
> Nothing is uncrackable.
>
> Everything can be cracked given enough motive and time and
> effort.
> (including all of these obscuration exe packers). Ie. look
> at
> Microsoft's software, which has a very high value of being
> copied, has
> millions of $$ devoted to protection, and yet, crackers
> are still able
> to use a variety of methods to get around copy
> restrictions in it.
> Granted, alot of the methods lately require quite some
> hoops to jump
> through now.

I think that has just now changed with the advent of
hardware dongles with processing power and memory. I think
that it is now at least theoretically possible to make copy
protection infeasible to crack.

>
> The main questions they are asking you about how much
> motive somebody
> may have for what value you place on it. You're giving
> answers all
> over the place to the point of being totally vague.
>
> This sort of thing is totally about cost of protection vs.
> value received.
> There is no one set answer cure all. Its all a tradeoff.

For a software package where a single seat costs $20,000
there is a lot of weight on the side of preventing cracking.

Doug McIntyre

unread,
Jun 19, 2009, 4:07:52 PM6/19/09
to
"Peter Olcott" <NoS...@SeeScreen.com> writes:
>"Doug McIntyre" <mer...@geeks.org> wrote in message
>> Nothing is uncrackable.

>I think that has just now changed with the advent of
>hardware dongles with processing power and memory. I think
>that it is now at least theoretically possible to make copy
>protection infeasible to crack.

Ha ha.

If a computer has to run it, the software can be cracked. No matter what.

They've had dongles with memory and CPUs on them for a long time.
Nothing new there. Most of the time, customers of these items
implement the most basic use of them thinking them highly secure when
in fact they can be easily defeated if they don't keep up their end of
the security configuration.

Would you make such blanket statements about bank vaults or safes
that can never be broken into? High security locks that can never be picked?

All of this is cost vs. effort tradeoff. How much do you want to
inconvience your legit users vs. protecting your assets?

Look at what others are doing in the same realm as you. I have
software/hardware appliances that costs more than that (running pretty
commodity hardware, all the costs are in the software). In general,
about as far as these vendors go is to provide a license file to me
after we buy it that gets put on the box, maybe tying it to the serial
number of the hardware I have.


Peter Olcott

unread,
Jun 19, 2009, 4:46:04 PM6/19/09
to

"Doug McIntyre" <mer...@geeks.org> wrote in message
news:4a3bf018$0$18866$8046...@newsreader.iphouse.net...

> "Peter Olcott" <NoS...@SeeScreen.com> writes:
>>"Doug McIntyre" <mer...@geeks.org> wrote in message
>>> Nothing is uncrackable.
>
>>I think that has just now changed with the advent of
>>hardware dongles with processing power and memory. I think
>>that it is now at least theoretically possible to make
>>copy
>>protection infeasible to crack.
>
> Ha ha.
>
> If a computer has to run it, the software can be cracked.
> No matter what.

Not if the computer that is running it is on the dongle and
100% totally inaccessible to any and all outside
observation.

>
> They've had dongles with memory and CPUs on them for a
> long time.
> Nothing new there. Most of the time, customers of these
> items
> implement the most basic use of them thinking them highly
> secure when
> in fact they can be easily defeated if they don't keep up
> their end of
> the security configuration.
>
> Would you make such blanket statements about bank vaults
> or safes
> that can never be broken into? High security locks that
> can never be picked?

How about cracking PGP encryption? Phil Zimmerman (PGP's
inventor) told me the computational complexity of this.
Cracking PGP is infeasible. It would take something like
trillions of years to crack a single message. If this kind
of technology could be directly applied to copy protection,
then copy protection would become uncrackable.

David Woolley

unread,
Jun 19, 2009, 5:40:02 PM6/19/09
to
Peter Olcott wrote:

> Not if the computer that is running it is on the dongle and
> 100% totally inaccessible to any and all outside
> observation.

"It" would have to be the $20,000 application, not the copy protection
software. If only the copy protection code is there you simply trace the
program to where it tests the dongle, and bypass the test. I've heard
of this sort of thing being done simply because it was too much hassle
to get new licence keys when running on a temporary replacement machine.

If the dongle decrypts the program, you capture it after the decryption.

If you are desperate enough, you carefully disassemble the dongle and
read the code in a scanning electron microscope. There are, supposedly
techniques for making things self destruct, but they tend only to be
used in cryptographic engines, and I suspect some organisations know how
to defeat them.

David Woolley

unread,
Jun 19, 2009, 5:44:18 PM6/19/09
to
Peter Olcott wrote:

>
> If a system can be devised that is uncrackable (like rockey6
> may be) this is moot.

If they have physical access to the hardware it is crackable by means
other than brute force.

>
> life of the product?
>
> However long graphical user interfaces are the norm, in
> other words very long.

There should be significant resistance to copy protection because the
product is likely to die prematurely. Dongles might be slightly better
than keys in the code, but they are still relying on your company
staying in business and interested in the product, neither of which is
common in the real world.

Peter Olcott

unread,
Jun 19, 2009, 5:59:24 PM6/19/09
to

"David Woolley" <da...@ex.djwhome.demon.co.uk.invalid> wrote
in message news:4a3c05b3$0$518$5a6a...@news.aaisp.net.uk...

> Peter Olcott wrote:
>
>> Not if the computer that is running it is on the dongle
>> and 100% totally inaccessible to any and all outside
>> observation.
>
> "It" would have to be the $20,000 application, not the
> copy protection software. If only the copy protection code
> is there you simply trace the program to where it tests
> the dongle, and bypass the test. I've heard

Nope it is not that simple. The software request the dongle
perform a complex operation that without which it cannot
proceed. In other words part of the software system being
protected in only available from the dongle.

> of this sort of thing being done simply because it was too
> much hassle to get new licence keys when running on a
> temporary replacement machine.
>
> If the dongle decrypts the program, you capture it after
> the decryption.

Not if the decryption is only done in the dongle, and only
the output of the computation is provided.

>
> If you are desperate enough, you carefully disassemble the
> dongle and

Nope as soon as the dongle is disassembled its internal
memory is erased.

> read the code in a scanning electron microscope. There
> are, supposedly techniques for making things self
> destruct, but they tend only to be used in cryptographic
> engines, and I suspect some organisations know how to
> defeat them.

http://www.mydigitaldefense.com/
Nope. I worked here as a software engineer, their system is
even uncrackable by its original designer.


Peter Olcott

unread,
Jun 19, 2009, 6:05:47 PM6/19/09
to

"David Woolley" <da...@ex.djwhome.demon.co.uk.invalid> wrote
in message news:4a3c06b4$0$516$5a6a...@news.aaisp.net.uk...

> Peter Olcott wrote:
>
>>
>> If a system can be devised that is uncrackable (like
>> rockey6 may be) this is moot.
>
> If they have physical access to the hardware it is
> crackable by means other than brute force.

As soon as the hardware is opened up its memory completely
erases.

>
>>
>> life of the product?
>>
>> However long graphical user interfaces are the norm, in
>> other words very long.
>
> There should be significant resistance to copy protection
> because the product is likely to die prematurely. Dongles
> might be slightly better

I think that there may be a way to apply uncrackable PGP
encryption to copy protection so that the copy protection
becomes uncrackable. Certainly if the whole application only
ran on the dongle, this would work.

David Woolley

unread,
Jun 20, 2009, 1:11:59 AM6/20/09
to
Peter Olcott wrote:

> I think that there may be a way to apply uncrackable PGP
> encryption to copy protection so that the copy protection
> becomes uncrackable. Certainly if the whole application only
> ran on the dongle, this would work.

PGP uses the same sorts of algorithm as SSL. It is not a one time pad
system, so it is crackable. It may take unreasonably long on current
hardware, so a real attack would simply look for a weaker link.

Peter Olcott

unread,
Jun 20, 2009, 5:48:06 AM6/20/09
to

"David Woolley" <da...@ex.djwhome.demon.co.uk.invalid> wrote
in message news:4a3c6fa1$0$512$5a6a...@news.aaisp.net.uk...

Since the copy protection of the application would be
uncrackable if:
(1) The whole application ran on the dongle.
(2) The internal workings of the dongle are completely
inaccessible to outside observation.
Therefore any application that has a portion of itself run
on the dongle would be uncrackable to the same extent that
this portion can not be reverse-engineered.


David Woolley

unread,
Jun 21, 2009, 4:12:53 AM6/21/09
to
Peter Olcott wrote:
le are completely
> inaccessible to outside observation.
> Therefore any application that has a portion of itself run
> on the dongle would be uncrackable to the same extent that
> this portion can not be reverse-engineered.

Then you are protecting yourself from firmware privacy, not software
piracy, and you are selling hardware, not software.

In practice, though, there are relatively few commercial applications,
where there is a relatively small, stable, closely guarded secret;
encryption is probably the main one. The chances are that any useful,
non-encryption algorithm has only polynomial complexity in respect of a
black box attack on it.

In my experience, though, most commercial applications are either:

- dumbing down and adding a GUI front end to a subset of algorithms well
known in academia (the value is in the bulky user interface code);

- based on a rapidly changing set of data, in which case what is really
being sold is the service of researching and maintaining that data.
>
>

Doug McIntyre

unread,
Jun 22, 2009, 10:39:39 AM6/22/09
to
"Peter Olcott" <NoS...@SeeScreen.com> writes:
>> If a computer has to run it, the software can be cracked.
>> No matter what.

>Not if the computer that is running it is on the dongle and
>100% totally inaccessible to any and all outside
>observation.

Then its not a computer, you now have a black box, and protecting
it can be easier when you control the whole thing, although again,
if somebody made it, it can be taken apart. Dongles don't have enough
CPU power/memory on them to run the whole program, typical
sizes of dongles are 32k or 64k.

>How about cracking PGP encryption? Phil Zimmerman (PGP's
>inventor) told me the computational complexity of this.
>Cracking PGP is infeasible. It would take something like
>trillions of years to crack a single message. If this kind
>of technology could be directly applied to copy protection,
>then copy protection would become uncrackable.

The main protection offered by PGP is that the private key stays in
the hands of the sender. In a computer system, you will need to be
running this without a physical visit by you each time the end user
wants to run the program to provide the private key needed to unlock it.

Even so, the computing power needed to crack a PGP message is rapidly
coming down in time, but still, the main thing is a computer program
can't use public key encryption easily, because you will need to
embed a private key in the binary as well as the public key seen.

I have seen some license systems utilize GPG to sign their license files.
One way to circumvent this system is to find the GPG private key that is
embedded inside the program code (usually pretty easy to find),
replace it with one of your own, and now you can sign any license file
you want to provide the code and the code will happily accept it as
its own.

Doug McIntyre

unread,
Jun 22, 2009, 10:52:15 AM6/22/09
to
"Peter Olcott" <NoS...@SeeScreen.com> writes:
>Nope it is not that simple. The software request the dongle
>perform a complex operation that without which it cannot
>proceed. In other words part of the software system being
>protected in only available from the dongle.

This is the basis of all hardware copy protection dongles for the last
20+ years?

And usually in the end, the protected app usually ends up doing
something like

lcall DongleAPI(0xbafa0193,0xbeef000f)
cmp eax,0xc0ffee23

Whereas the crack promptly patchs over this with
lea eax,0xc0ffee23
cmp eax,0xc0ffee23

Yes, they can go through and try to obfuscate where this DongleAPI is
called, but in the end, they are usually easy to find for most apps.

>Not if the decryption is only done in the dongle, and only
>the output of the computation is provided.

And the program code then shows what it is expecting, and the cracker
just patches out the call to make it look just like what the code
is expecting..

>Nope as soon as the dongle is disassembled its internal
>memory is erased.

There are ways to circumvent that. There are FIPS standards laying out
what makes a physically secure package, usually these cards (mostly
used for ATMs and such) are fairly large packages, small brick sized.

And yet, usually attacks usually don't have to go that far.

> http://www.mydigitaldefense.com/
>Nope. I worked here as a software engineer, their system is
>even uncrackable by its original designer.

The original designer is a always poor choice for attacking a
system. They are usually very biased that their design is perfect, and
can never be circumvented..

Peter Olcott

unread,
Jun 22, 2009, 11:30:39 AM6/22/09
to

"Doug McIntyre" <mer...@geeks.org> wrote in message
news:4a3f97ab$0$92356$8046...@newsreader.iphouse.net...

It is stored on the dongle in encrypted form. The dongle
erases all of its memory when disassembled.

>
> Even so, the computing power needed to crack a PGP message
> is rapidly
> coming down in time, but still, the main thing is a
> computer program
> can't use public key encryption easily, because you will
> need to
> embed a private key in the binary as well as the public
> key seen.
>
> I have seen some license systems utilize GPG to sign their
> license files.
> One way to circumvent this system is to find the GPG
> private key that is
> embedded inside the program code (usually pretty easy to
> find),
> replace it with one of your own, and now you can sign any
> license file
> you want to provide the code and the code will happily
> accept it as
> its own.
>

When the private key is stored on the dongle in encrypted
form, and the execution of the dongle can not be traced,
then the private key is safe.


Doug McIntyre

unread,
Jun 22, 2009, 11:41:51 AM6/22/09
to
"Peter Olcott" <NoS...@SeeScreen.com> writes:
>> The main protection offered by PGP is that the private key
>> stays in
>> the hands of the sender. In a computer system, you will
>> need to be
>> running this without a physical visit by you each time the
>> end user
>> wants to run the program to provide the private key needed
>> to unlock it.

>It is stored on the dongle in encrypted form. The dongle
>erases all of its memory when disassembled.

Okay, then the cracker loads up the program with the dongle. Then
captures the image of the running decrypted program in memory and
writes a new loader around the decrypted program image.

Or, since the output will be the same each time the dongle runs it,
he captures the output of the dongle, and bypasses the use of the
dongle after the first time it is used by patching around the API call
to decrypt something, feeding his captured input instead.

You can't trust that a cracker will never have access to hardware
you provide to end customers.

Peter Olcott

unread,
Jun 22, 2009, 11:44:22 AM6/22/09
to

"Doug McIntyre" <mer...@geeks.org> wrote in message
news:4a3f9a9f$0$92356$8046...@newsreader.iphouse.net...

> "Peter Olcott" <NoS...@SeeScreen.com> writes:
>>Nope it is not that simple. The software request the
>>dongle
>>perform a complex operation that without which it cannot
>>proceed. In other words part of the software system being
>>protected in only available from the dongle.
>
> This is the basis of all hardware copy protection dongles
> for the last
> 20+ years?
>
> And usually in the end, the protected app usually ends up
> doing
> something like
>
> lcall DongleAPI(0xbafa0193,0xbeef000f)
> cmp eax,0xc0ffee23
>
> Whereas the crack promptly patchs over this with
> lea eax,0xc0ffee23
> cmp eax,0xc0ffee23

No, not this at all. This may be the way that it is
typically done, but, this is NOT what I am proposing.

Four 32 bit parameters in and four 32 bit result values out.
2^128 possible results. The correct result is required for
the correct execution of the program. It is not simply a
license check value, it is data required by the program.

>
> Yes, they can go through and try to obfuscate where this
> DongleAPI is
> called, but in the end, they are usually easy to find for
> most apps.
>
>>Not if the decryption is only done in the dongle, and only
>>the output of the computation is provided.
>
> And the program code then shows what it is expecting, and
> the cracker
> just patches out the call to make it look just like what
> the code
> is expecting..

Sure and the cracker only has to test 2^128 combinations and
then provide a lookup table of 2^128 32-bit integers.

Peter Olcott

unread,
Jun 22, 2009, 12:32:29 PM6/22/09
to

"Doug McIntyre" <mer...@geeks.org> wrote in message
news:4a3fa63f$0$92354$8046...@newsreader.iphouse.net...

> "Peter Olcott" <NoS...@SeeScreen.com> writes:
>>> The main protection offered by PGP is that the private
>>> key
>>> stays in
>>> the hands of the sender. In a computer system, you will
>>> need to be
>>> running this without a physical visit by you each time
>>> the
>>> end user
>>> wants to run the program to provide the private key
>>> needed
>>> to unlock it.
>
>>It is stored on the dongle in encrypted form. The dongle
>>erases all of its memory when disassembled.
>
> Okay, then the cracker loads up the program with the
> dongle. Then
> captures the image of the running decrypted program in
> memory and
> writes a new loader around the decrypted program image.
>
There is no encrypted program, instead there is an
inaccessible program with 2^128 possible outputs.

> Or, since the output will be the same each time the dongle
> runs it,
> he captures the output of the dongle, and bypasses the use
> of the
> dongle after the first time it is used by patching around
> the API call
> to decrypt something, feeding his captured input instead.

2^128 possible outputs is too many to bypass.

Volker Birk

unread,
Jun 23, 2009, 7:34:25 AM6/23/09
to
Peter Olcott <NoS...@seescreen.com> wrote:
> What are some of the best products available?

Make a distributed system. Require the user to connect to some service.
Only deliver results.

Yours,
VB.
--
Ceci n’est pas une pipe: |

Peter Olcott

unread,
Jun 23, 2009, 10:34:41 AM6/23/09
to

"Volker Birk" <bum...@dingens.org> wrote in message
news:h1qek1...@news.in-ulm.de...

Yes that would be a very effective solution. If the input
data is provided to this service, and the output data is
encrypted, and only the dongle knows how to decrypt this
data, and each piece of data is only decrypted within the
dongle, then copy protection may be close to uncrackable.


Volker Birk

unread,
Jun 23, 2009, 10:40:04 AM6/23/09
to
Peter Olcott <NoS...@seescreen.com> wrote:
> "Volker Birk" <bum...@dingens.org> wrote in message
> news:h1qek1...@news.in-ulm.de...
>> Peter Olcott <NoS...@seescreen.com> wrote:
>>> What are some of the best products available?
>> Make a distributed system. Require the user to connect to
>> some service.
>> Only deliver results.
> Yes that would be a very effective solution. If the input
> data is provided to this service, and the output data is
> encrypted, and only the dongle knows how to decrypt this
> data, and each piece of data is only decrypted within the
> dongle, then copy protection may be close to uncrackable.

You don't need a dongle then.

Peter Olcott

unread,
Jun 23, 2009, 11:16:02 AM6/23/09
to

"Volker Birk" <bum...@dingens.org> wrote in message
news:h1qpg4...@news.in-ulm.de...

I would need the dongle to hide the decryption process. I am
aiming to be as uncrackable as possible.


Volker Birk

unread,
Jun 23, 2009, 11:27:20 AM6/23/09
to
Peter Olcott <NoS...@seescreen.com> wrote:
> "Volker Birk" <bum...@dingens.org> wrote in message
> news:h1qpg4...@news.in-ulm.de...
>> Peter Olcott <NoS...@seescreen.com> wrote:
>>> "Volker Birk" <bum...@dingens.org> wrote in message
>>> news:h1qek1...@news.in-ulm.de...
>>>> Peter Olcott <NoS...@seescreen.com> wrote:
>>>>> What are some of the best products available?
>>>> Make a distributed system. Require the user to connect
>>>> to
>>>> some service.
>>>> Only deliver results.
>>> Yes that would be a very effective solution. If the input
>>> data is provided to this service, and the output data is
>>> encrypted, and only the dongle knows how to decrypt this
>>> data, and each piece of data is only decrypted within the
>>> dongle, then copy protection may be close to uncrackable.
>> You don't need a dongle then.
> I would need the dongle to hide the decryption process. I am
> aiming to be as uncrackable as possible.

You don't need an decryption process, only authentication.

Peter Olcott

unread,
Jun 23, 2009, 11:46:37 AM6/23/09
to

"Volker Birk" <bum...@dingens.org> wrote in message
news:h1qs8o...@news.in-ulm.de...

From a copy protection point of view you may be correct.
From an intellectual property protection point of view there
would still be a gap in protection if the data was not
encrypted and decrypted within black boxes.


Volker Birk

unread,
Jun 23, 2009, 12:27:30 PM6/23/09
to
Peter Olcott <NoS...@seescreen.com> wrote:
>> You don't need an decryption process, only authentication.
> From a copy protection point of view you may be correct.
> From an intellectual property protection point of view there
> would still be a gap in protection if the data was not
> encrypted and decrypted within black boxes.

There is no such thing as a software black box. Your authentication
software has to be secure even if you're pulicizing the source code.

If you're searching for a solution for business purposes, just send a
mail.

Peter Olcott

unread,
Jun 23, 2009, 1:10:31 PM6/23/09
to

"Volker Birk" <bum...@dingens.org> wrote in message
news:h1qvpi...@news.in-ulm.de...

> Peter Olcott <NoS...@seescreen.com> wrote:
>>> You don't need an decryption process, only
>>> authentication.
>> From a copy protection point of view you may be correct.
>> From an intellectual property protection point of view
>> there
>> would still be a gap in protection if the data was not
>> encrypted and decrypted within black boxes.
>
> There is no such thing as a software black box. Your
> authentication
> software has to be secure even if you're pulicizing the
> source code.
>

A software black box is software that is implemented as
inaccessible firmware.

Peter Olcott

unread,
Jun 23, 2009, 2:07:00 PM6/23/09
to

"Volker Birk" <bum...@dingens.org> wrote in message
news:h1qvpi...@news.in-ulm.de...

That would not prevent an authorized user from making
unauthorized copies, here is more on the dongle idea:
http://www.halfbakery.com/idea/copy_20protection_20dongle


Volker Birk

unread,
Jun 23, 2009, 4:21:18 PM6/23/09
to
Peter Olcott <NoS...@seescreen.com> wrote:
> A software black box is software that is implemented as
> inaccessible firmware.

There ain't no such thing like an inaccessable firmware. But, be happy:
in a distributed system, you don't need any.

Peter Olcott

unread,
Jun 23, 2009, 5:46:26 PM6/23/09
to

"Volker Birk" <bum...@dingens.org> wrote in message
news:h1rdfu...@news.in-ulm.de...

> Peter Olcott <NoS...@seescreen.com> wrote:
>> A software black box is software that is implemented as
>> inaccessible firmware.

Maybe I used the wrong terms, a self contained computer with
the only access available through mutually authenticated
encrypted communication over the airwaves, with all of its
software and data stored in volatile ram that is erased
whenever the unit is in any way physically tampered with.

David Woolley

unread,
Jun 24, 2009, 2:33:10 AM6/24/09
to
Peter Olcott wrote:

>
> Sure and the cracker only has to test 2^128 combinations and
> then provide a lookup table of 2^128 32-bit integers.
>

Only if the overall application depends on an NP-complete step, with
random internal parameters. Encryption may well be the only such
application.

David Woolley

unread,
Jun 24, 2009, 2:49:15 AM6/24/09
to
Peter Olcott wrote:
> "Volker Birk" <bum...@dingens.org> wrote in message
> news:h1rdfu...@news.in-ulm.de...
>> Peter Olcott <NoS...@seescreen.com> wrote:
>>> A software black box is software that is implemented as
>>> inaccessible firmware.
>
> Maybe I used the wrong terms, a self contained computer with
> the only access available through mutually authenticated
> encrypted communication over the airwaves, with all of its

I didn't follow the reference given earlier, but I did wonder whether
this whole thread was actually a sales pitch. I'd point out that smart
cards have been in active service for decades. All current mobile
phones use them and so do most bank cards. My rapid transit ticket
does, and so do many sporting season tickets.

> software and data stored in volatile ram that is erased
> whenever the unit is in any way physically tampered with.

Tamper resistant security modules are an even older idea than smart
cards, although mainly used in military contexts and for ATMs.

The reliance on batteries will make them relatively fragile and limit
their life. I suspect government agencies have some expertise in
defeating the self destruct on such devices.
>

David Woolley

unread,
Jun 24, 2009, 2:58:43 AM6/24/09
to
Peter Olcott wrote:

>
> Sure and the cracker only has to test 2^128 combinations and
> then provide a lookup table of 2^128 32-bit integers.
>

Which they can do as, presumably, the application needs frequent access
to the calculation, unlike a pure authentication device, which will
typically lock out after three attemps.

Further to the note on polynomial time problems, in many real world,
non-encryption, cases it will be possible to interpolate between
parameter sets, which is probably all that the dongle does.

chris

unread,
Jun 24, 2009, 4:39:50 AM6/24/09
to
"Peter Olcott" wrote

> > Make a distributed system. Require the user to connect to
> > some service.
> > Only deliver results.

> Yes that would be a very effective solution. If the input


> data is provided to this service, and the output data is
> encrypted, and only the dongle knows how to decrypt this
> data, and each piece of data is only decrypted within the
> dongle, then copy protection may be close to uncrackable.

and what for information does that dongel send to the service?
Is it confidential? How can I trust a program/dongle that sends
privat information over the internet? I have to trust the software
100% that it's not sending MY privat information.

no working internet, no working program!?

no firm, program stops working?

Why should I buy such software?


Peter Olcott

unread,
Jun 24, 2009, 9:43:48 AM6/24/09
to

"chris" <no...@home.ccc> wrote in message
news:5de55$4a41e665$5ed4c369$16...@cache2.tilbu1.nb.home.nl...
Because it saves $50,000 per year, and the next best
alternative to my $500 program costs $9000.


Peter Olcott

unread,
Jun 24, 2009, 9:52:08 AM6/24/09
to

"David Woolley" <da...@ex.djwhome.demon.co.uk.invalid> wrote
in message news:4a41cea5$0$510$5a6a...@news.aaisp.net.uk...

Four 32-bit integers are encrypted on a web app, and only
decrypted one at a time in the dongle. The encryption
process always changes because it begins with a different
random number. The random number is encrypted and stored
somewhere in a large data set. The dongle knows where the
random number is, but reads the whole data set anyway.


chris

unread,
Jun 24, 2009, 11:50:13 AM6/24/09
to
"Peter Olcott" wrote

> >> Yes that would be a very effective solution. If the input
> >> data is provided to this service, and the output data is
> >> encrypted, and only the dongle knows how to decrypt this
> >> data, and each piece of data is only decrypted within the
> >> dongle, then copy protection may be close to uncrackable.
> >
> > and what for information does that dongel send to the
> > service?
> > Is it confidential? How can I trust a program/dongle that
> > sends
> > privat information over the internet? I have to trust the
> > software
> > 100% that it's not sending MY privat information.
> >
> > no working internet, no working program!?
> >
> > no firm, program stops working?
> >
> > Why should I buy such software?
> >
> >
> Because it saves $50,000 per year, and the next best
> alternative to my $500 program costs $9000.

oh dear, $ 50,00 per year. Not bad for a program that's not yet
on the market; an alpha release.
Sorry, in that case I prefer only a dongle without any internet use.
Use my CPU id and maybe some other hardware as identification.
I have computers not connected to the internet for security reasons.
That's make your software useless I think.

We still don't know what your software should do. You could ask
$500 for a sniffin dongle and because all the info is encrypted we
don't know what the dongle is sending. Nice gadget ;-).
We pay you $ 500 and we save $ 50,000 because you don't attack
our computers if your bots detect your dongle.

Software piracy is part of the internet; you have to life with it.
Your solution ( internet encrypted dongle spy ) has no future.

Peter Olcott

unread,
Jun 24, 2009, 12:00:57 PM6/24/09
to

"chris" <no...@home.ccc> wrote in message
news:58de6$4a424b51$5ed4c369$24...@cache5.tilbu1.nb.home.nl...
The leading automated testing application Quick Test
Professional replaces three full time human testers and
costs only $20,000. I am going to be selling this same sort
of system for $500.00. Because my price is so much less
than the competition, I want to do everything that I can to
completely eliminate piracy.

chris

unread,
Jun 25, 2009, 7:12:40 AM6/25/09
to
"Peter Olcott" wrote

> The leading automated testing application Quick Test
> Professional replaces three full time human testers and
> costs only $20,000. I am going to be selling this same sort
> of system for $500.00. Because my price is so much less
> than the competition, I want to do everything that I can to
> completely eliminate piracy.

if your device is an instrument like that Beverly Crusher uses
you have to worry more about industrial software patents then
piracy.
The competition will eliminate you, just like M$ has eliminate
a lot of good software tools. Buy the company and shut it down.


Peter Olcott

unread,
Jun 25, 2009, 7:45:41 AM6/25/09
to

"chris" <no...@home.ccc> wrote in message
news:cb2bc$4a435bae$5ed4c369$30...@cache6.tilbu1.nb.home.nl...
I have a patent on this technology. I am going for two or
three patents.


David Woolley

unread,
Jun 25, 2009, 6:22:42 PM6/25/09
to
Peter Olcott wrote:

>>
> I have a patent on this technology. I am going for two or
> three patents.
>

As I understand patents, you have to reveal enough detail to allow other
to implement the invention, which means the secret part of the algorithm
cannot be essential to the patented invention without revealing enough
of its structure to considerable facilitate reverse engineering the
dongle's critical functions.

Patents are a reward for revealing what would otherwise be trade secrets.

I also suspect a lot of people here are uneasy with software patents.

>

Peter Olcott

unread,
Jun 25, 2009, 9:55:01 PM6/25/09
to

"David Woolley" <da...@ex.djwhome.demon.co.uk.invalid> wrote
in message news:4a43f8b4$0$516$5a6a...@news.aaisp.net.uk...

Yes, that just occurred to me in the last few days. Because
of this I may cancel my pending patent and just keep the
current one. The pending patent reveals many more details of
significant development that occurred after the first patent
was filed.

The copy protection that one of my competitors uses is to
sell the license for such an enormous price that he can
afford to spend a few hours getting to know his prospective
customers before releasing any software or users manuals.
The prospective customer must also prove who they really are
before any sale is even considered.


chris

unread,
Jun 26, 2009, 3:16:44 PM6/26/09
to
"Peter Olcott" wrote

> Yes, that just occurred to me in the last few days. Because
> of this I may cancel my pending patent and just keep the
> current one. The pending patent reveals many more details of
> significant development that occurred after the first patent
> was filed.

that's not the whole story.
You also have to think about the way your program works.
Uses it a database? Lots of patents blocking the free use in your program.
Uses it ( genetic ) algorithms? Uses it neural networks? Uses it expert
systems?
How does it proces the scan information ( if it use a scanning device ).
Etc, etc. and a lot of patents block the free use in whatever program.
Very frustrating and it's shouldn't be allowed because nice software never
sees
the market.

> The copy protection that one of my competitors uses is to
> sell the license for such an enormous price that he can
> afford to spend a few hours getting to know his prospective
> customers before releasing any software or users manuals.
> The prospective customer must also prove who they really are
> before any sale is even considered.

you could also include a scrambled algorith in your software with a
nummer, name of the seller or something like that.
Just like a lot of software programs the program stops working
if you know it's an illegal version.
That requires an internet connection and you know who was
responsible for that 'evaluation copy'.
But I still think a dongle with some nice scrambled tricks does the trick.


Peter Olcott

unread,
Jun 26, 2009, 6:25:36 PM6/26/09
to

"chris" <no...@home.ccc> wrote in message
news:a6c5d$4a451ede$5ed4c369$22...@cache5.tilbu1.nb.home.nl...

> "Peter Olcott" wrote
>
>> Yes, that just occurred to me in the last few days.
>> Because
>> of this I may cancel my pending patent and just keep the
>> current one. The pending patent reveals many more details
>> of
>> significant development that occurred after the first
>> patent
>> was filed.
>
> that's not the whole story.
> You also have to think about the way your program works.
> Uses it a database? Lots of patents blocking the free use
> in your program.
> Uses it ( genetic ) algorithms? Uses it neural networks?
> Uses it expert
> systems?
> How does it proces the scan information ( if it use a
> scanning device ).
> Etc, etc. and a lot of patents block the free use in
> whatever program.
> Very frustrating and it's shouldn't be allowed because
> nice software never
> sees
> the market.

I don't have to worry about all that
http://www.seescreen.com/Unique.html
My invention mostly just uses a couple of very old processes
to achieve a brand new result.
(1) Deterministic Finite Automaton
(2) Binary Search
The new result is 100% accurate character glyph recognition
at display screen resolutions that is at least 100-fold
faster than alternatives. Also the next best 100-fold slower
alternative is only about 90% accurate.

>
>> The copy protection that one of my competitors uses is to
>> sell the license for such an enormous price that he can
>> afford to spend a few hours getting to know his
>> prospective
>> customers before releasing any software or users manuals.
>> The prospective customer must also prove who they really
>> are
>> before any sale is even considered.
>
> you could also include a scrambled algorith in your
> software with a
> nummer, name of the seller or something like that.
> Just like a lot of software programs the program stops
> working
> if you know it's an illegal version.
> That requires an internet connection and you know who was
> responsible for that 'evaluation copy'.
> But I still think a dongle with some nice scrambled tricks
> does the trick.
>
>

The dongle might be too slow to be practical, and neither of
the dongle companies respond to my repeated emails.

I may just use conventional try before you buy trialware
protection of a hobbled product, that is hobbled enough to
prevent any useful work, but, not so much that all the
features can not be tested.


0 new messages