RE: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
On Mon, 13 May 2002, SHEETS,JASON (Non-HP-Boise,ex1) wrote: Yes even if you take some steps to protect your code it may still be distributed, but it WILL be distributed if you don't. Think about security, as a sysadmin I can't just not apply security updates, you apply every security update you can even though someone a determined cracker can still get into your box you eliminate most of the script kiddies. Just because you can circumvent something does not mean it is not worth doing, there is a trade off, security and usability to make something completely secure you make it completely unusable you need to find a middle ground with your systems and your code. As far as banks being robbed, yes they may be robbed but we still lose less money than if left the vault unlocked and just told people to help themselves. The situations are not analogous. Putting locks on a bank vault increases the amount of time it takes to get in, which increases the risk to the robber. This is a powerful disincentive, and leads robbers to choose other banks instead of yours. Also, after someone does manage to get through all your vault locks, the next person who wants to break into the bank still has to go through all the work again. Putting locks on software, on the other hand, doesn't increase any risk. It may increase the challenge, but for many crackers, this is the number one incentive anyway. And once one person has broken it, it's as good as broken everywhere. So the return for effort/expense is much lower. The time is better spent writing more software for more clients. Or finding better, more honest clients. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
I think the point of all this, and I'm sure I'll be corrected if I've misunderstood, you can spend your time encrypting, obfuscating, whatever, but either your program will get distributed as-is, reverse engineered, etc. If someone wants to do it, they'll do it. Using your example, sure, you're not going to leave your door unlocked because there are a million lock-pickers out there you know could get through your lock. But by locking your door, do you feel safe? Someone could come in a glass window as easily as they pick your lock. Determined thiefs can get around even the biggest doors with the biggest locks. Look at all the bank robberies that have taken place over the past century. I guess the bottom line, you can do what you want with your code, but that doesn't make it hack-proof (or anti-distributable!). Jason Soza - Original Message - From: SP [EMAIL PROTECTED] Date: Monday, May 13, 2002 1:48 pm Subject: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection Everyone is arguing that these encoders can be cracked. Does anyone know of one, have you done it yourself? How long did it take? I mean I'm not going to leave my door unlocked cuz someone can pick it open. -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: May 13, 2002 3:29 PM To: Udo Giacomozzi Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection On 13 May 2002, Udo Giacomozzi wrote: If the whole thing is designed the right way. A copy protection I like for example are dongles. Ok, they are not applicable to PHP and aren't 100% secure either [don't want to start a discussion about this now]. But this system makes no problems for the people that have the dongle. That was why first came up with this question. As a PHP beginner I wanted to know if there are elegant ways to make a acceptable copy protection. There seem to be only 3 possibilities: - zend encoder - a code obfuscator like POBS - encrypting the source code and then decrypting it in realtime All of these have weaknesses. And therefore the whole exercise is moot. It only takes one person with some free time to break your protection scheme, and then the cat's out of the bag. Once it has been broken, it will spread and then it won't matter how complex your scheme was. I really doubt there is any software out there that isn't being traded by high-school kids, even if they have no idea what it's for. The only exceptions would be something so arcane and obscure that nobody ever had an interest in cracking it. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
I've watched this thread now I'll comment because it applies to many other things. Yes even if you take some steps to protect your code it may still be distributed, but it WILL be distributed if you don't. Think about security, as a sysadmin I can't just not apply security updates, you apply every security update you can even though someone a determined cracker can still get into your box you eliminate most of the script kiddies. Just because you can circumvent something does not mean it is not worth doing, there is a trade off, security and usability to make something completely secure you make it completely unusable you need to find a middle ground with your systems and your code. As far as banks being robbed, yes they may be robbed but we still lose less money than if left the vault unlocked and just told people to help themselves. Jason -Original Message- From: Jason Soza [mailto:[EMAIL PROTECTED]] Sent: Monday, May 13, 2002 4:03 PM To: [EMAIL PROTECTED] Subject: Re: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection I think the point of all this, and I'm sure I'll be corrected if I've misunderstood, you can spend your time encrypting, obfuscating, whatever, but either your program will get distributed as-is, reverse engineered, etc. If someone wants to do it, they'll do it. Using your example, sure, you're not going to leave your door unlocked because there are a million lock-pickers out there you know could get through your lock. But by locking your door, do you feel safe? Someone could come in a glass window as easily as they pick your lock. Determined thiefs can get around even the biggest doors with the biggest locks. Look at all the bank robberies that have taken place over the past century. I guess the bottom line, you can do what you want with your code, but that doesn't make it hack-proof (or anti-distributable!). Jason Soza - Original Message - From: SP [EMAIL PROTECTED] Date: Monday, May 13, 2002 1:48 pm Subject: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection Everyone is arguing that these encoders can be cracked. Does anyone know of one, have you done it yourself? How long did it take? I mean I'm not going to leave my door unlocked cuz someone can pick it open. -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: May 13, 2002 3:29 PM To: Udo Giacomozzi Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection On 13 May 2002, Udo Giacomozzi wrote: If the whole thing is designed the right way. A copy protection I like for example are dongles. Ok, they are not applicable to PHP and aren't 100% secure either [don't want to start a discussion about this now]. But this system makes no problems for the people that have the dongle. That was why first came up with this question. As a PHP beginner I wanted to know if there are elegant ways to make a acceptable copy protection. There seem to be only 3 possibilities: - zend encoder - a code obfuscator like POBS - encrypting the source code and then decrypting it in realtime All of these have weaknesses. And therefore the whole exercise is moot. It only takes one person with some free time to break your protection scheme, and then the cat's out of the bag. Once it has been broken, it will spread and then it won't matter how complex your scheme was. I really doubt there is any software out there that isn't being traded by high-school kids, even if they have no idea what it's for. The only exceptions would be something so arcane and obscure that nobody ever had an interest in cracking it. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
