On Dec 29, 2009, at 2:44 PM, Rafael Bugajewski wrote: > On 12/29/2009, at 08:20 PM, Benjamin Ragheb wrote: > >> To repeat what was said earlier, it does matter. If the keygens create >> keys that are also used by paying customers, you then cannot blacklist >> bad keys without inconveniencing paying customers. > > This *heavily* depends on your algorithm. If you generate a key from the > user’s name and email address, then the probability is equal to 0 that a > legit and a generated serial number will collide.
It’s not a serial number collision that causes the inconvenience for your real customers. Once there’s a keygen, you have no way of distinguishing a legit serial from a non-legit serial using your algorithm, period. The only remedy is to change to another algorithm, retroactively invalidating all of your paying customers serials in the process. You can’t just start issuing new serials without impacting existing customers, because again, you have no way of distinguishing in the field whether this is a paid customer or not. >> In other words, it's not about how crackable it is, but limiting the >> damage that crackers can cause. Considering that a asymmetric scheme >> is no harder to implement than any other one, it's good advice. > > The damage of both techniques can be equal. And I don’t know if recommending > a framework to prevent piracy is a good advice at all. I’m not against any > framework, but a self-baked solution would be more unique and require more > effort to crack—under the assumption that you have enough knowledge and time. Using a stock solution verbatim provides 100% of the keygen resistance for 0% of the work, and it’s highly unlikely something is screwed up where your security is just null and void. Spending a small amount of time doing minor obfuscation and clever usages of the infrastructure gives you, say, 95% of the crack resistance (because it can’t just be blindly pattern matched, and any infrastructure that has the same functionality will look approximately the same within the realm of obfuscation) for 1% of the work. It’s unlikely that ordinary obfuscation techniques will break the security of the system. Or, you could do the other 99% of the work yourself to get 5% more crack resistance from being slightly more differentiated, plus the risk that you screwed something up along the way. If it’s that important to you and you have that much knowledge and time, knock yourself out. =) Best, br -- Benjamin Rister President, Decimus Software, Inc. http://decimus.net/ ------------------------------------ MacSB email guidelines: http://tinyurl.com/2g55d6 Use MacSB-Talk for off topic messages: http://groups.google.com/group/macsb-talk Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/macsb/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/macsb/join (Yahoo! ID required) <*> To change settings via email: [email protected] [email protected] <*> To unsubscribe from this group, send an email to: [email protected] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
