Is it wise to discuss these technologies out in the open like this?
Shouldn't you go to a chat room for privacy? There are probably 10 or 12 of
us (don't include me!) who are qualified to come up with a good protection
scheme. Why not go off and figure it out where the bad guys can't listen
in?
Just a thought.
> -----Original Message-----
> From: Alan Kennington [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, June 08, 1999 3:10 PM
> To: [EMAIL PROTECTED]
> Cc: Palm Developers Forum
> Subject: Re: cracking site - how do we shut it down?
>
> Aaron,
>
> My point is that you generate a different binary for each user --
> the same code, but subtly different.
> There are many ways to do this by perturbations of various
> sorts.
>
> Then you sign the binary with PGP.
> Each binary is then different and signed,
> so that you can verify that it is yours.
>
> But the user has no way to determine whether it is
> authentic.
>
> Then they must get it from your site.
> If they get it from somewhere else, it may be
> a virus-infected copy.
>
> The user's only authentication is the fact that
> they get it from your authorized site.
>
> Now if someone copies one of your authentic binaries and
> distributes it, users do not know if it is one of the
> virus-fitted binaries that you distribute into "incoming"
> directories, or a good copy,a nd they would have to
> completely disassemble the code and understand it in order
> to know if it has a nasty bit of data-destroying code.
>
> I.e., this methodology uses a kind of game theory.
> The user takes a risk in buying pirate software.
> When it becomes generally known that many Palm software
> writers are usuing this methodology, users will
> be terrified into getting their software from the source,
> namely you, and they will gladly pay $10 for the certificate
> or whatever.
>
> Therefore your point about registration code generators is
> not relevant. Just perturb a few function offsets in
> your binary, so that the jump-vectors are perturbed.
> Then you can generate a million different authentic binaries,
> and a million bug-infested versions.
> But because you ahve the secret PGP key, only you can
> tell the difference.
>
> Does this meet your objection?
>
> Cheers,
> Alan Kennington.
