http://zabkat.com/blog/27Jun10-openssl-keygen.htm
burning the midnight oil today
blog: make your uncrackable keygen with RSA
Moderators: fgagnon, nikos, Site Mods
blog: make your uncrackable keygen with RSA
here's the comment area for today's blog article found at
http://zabkat.com/blog/27Jun10-openssl-keygen.htm
burning the midnight oil today
http://zabkat.com/blog/27Jun10-openssl-keygen.htm
burning the midnight oil today
Let me preface this by saying I did actually read all of the above article (of what must be Nikos' longest expression of anything written anywhere 
), though I do not claim to understand the particulars. My one claim to fame was that in school I once memorized Pi to 134 places as a dare. (And yes, I realise most university "dares" usually involve female panties and the like, but I had a deprived childhood, ok? Leave me alone. Geeks have feelings too. 
)
To the subject at hand though, due to a strange conjunction of innocent desires, I spent some time last Saturday exploring the world of "cracked" or otherwise illegally used software.
It seems to be depressingly easy to do.
As an experiment (I later removed all applications) in the space of a few hours with adroit Googling and a blind faith in my Anti-Virus software (which proved its usefulness, if nothing else) I managed to obtain 20 different applications with very little trouble, using a combination of keygens and/or dodgy-looking patches. Ironically, it proved easier to find the "latest" editions of said softwares (including x64 versions), simply because those are the most recently uploaded to any given site. All, it must be said, were easily located using only the first page of Google results. Not exactly rocket science.
Of interest, more than a few of the applications seemed to have no copy protection whatsoever, as they rely upon the "known-user" method, where registered persons download a fully functional version after "logging in" to a private link provided after purchase. A strange concept, to be sure, but that's what I found.
As Nikos knows well, I am completely guilty of a loose interpretation of copyright laws when it comes to downloading music. Throughout the ages, musicians have had to "perform" for their dinners, and there's no particular reason that shouldn't be true today, regardless of what a dying record industry portends. A few of their own recently admitted as much.
Personally, I do draw the line at software - tempting though it may be - partially from an ethical appreciation of the work involved, but more so from my participation in this very forum, and seeing the (ever burgeoning) tribulations Nikos must contend with to survive a contentious marketplace. That said, anyone who wants to rip-off Adobe has my full consent, as not only are they too big for their britches, as it were, but (to perpetuate a metaphor) their software is pants - regardless of its popularity or usefulness - it's inconceivable to me how so many otherwise "creative types" are hoodwinked into the hype. Yes, Photoshop, I'm looking at you. But so be it, choice is choice.
In the end (as stated above) I restored an image of my system before any of this software was installed, so "no harm no foul", as it were - though there was one application in particular (an overpriced registry editor) which I was sad to part with, but those are the breaks. I may be hungry these days, and in debt, and in hock, and no doubt in danger of developing scurvy, but there are some guidelines of integrity I will stick to, regardless of impractical or inconvenient consequence.
God help all developers, small and large (except Adobe).
But mostly the small ones.
And with Nikos' help (as per the blog, and other things), perhaps they can learn to help themselves a little, too.
P.S. If anyone was weird enough to gift me a legal license for Registry Workshop you may have my firstborn son. Really. I'm not mad about kids. Registries, on the other hand, are quite entertaining.
), though I do not claim to understand the particulars. My one claim to fame was that in school I once memorized Pi to 134 places as a dare. (And yes, I realise most university "dares" usually involve female panties and the like, but I had a deprived childhood, ok? Leave me alone. Geeks have feelings too. )To the subject at hand though, due to a strange conjunction of innocent desires, I spent some time last Saturday exploring the world of "cracked" or otherwise illegally used software.
It seems to be depressingly easy to do.
As an experiment (I later removed all applications) in the space of a few hours with adroit Googling and a blind faith in my Anti-Virus software (which proved its usefulness, if nothing else) I managed to obtain 20 different applications with very little trouble, using a combination of keygens and/or dodgy-looking patches. Ironically, it proved easier to find the "latest" editions of said softwares (including x64 versions), simply because those are the most recently uploaded to any given site. All, it must be said, were easily located using only the first page of Google results. Not exactly rocket science.
Of interest, more than a few of the applications seemed to have no copy protection whatsoever, as they rely upon the "known-user" method, where registered persons download a fully functional version after "logging in" to a private link provided after purchase. A strange concept, to be sure, but that's what I found.
As Nikos knows well, I am completely guilty of a loose interpretation of copyright laws when it comes to downloading music. Throughout the ages, musicians have had to "perform" for their dinners, and there's no particular reason that shouldn't be true today, regardless of what a dying record industry portends. A few of their own recently admitted as much.
Personally, I do draw the line at software - tempting though it may be - partially from an ethical appreciation of the work involved, but more so from my participation in this very forum, and seeing the (ever burgeoning) tribulations Nikos must contend with to survive a contentious marketplace. That said, anyone who wants to rip-off Adobe has my full consent, as not only are they too big for their britches, as it were, but (to perpetuate a metaphor) their software is pants - regardless of its popularity or usefulness - it's inconceivable to me how so many otherwise "creative types" are hoodwinked into the hype. Yes, Photoshop, I'm looking at you. But so be it, choice is choice.
In the end (as stated above) I restored an image of my system before any of this software was installed, so "no harm no foul", as it were - though there was one application in particular (an overpriced registry editor) which I was sad to part with, but those are the breaks. I may be hungry these days, and in debt, and in hock, and no doubt in danger of developing scurvy, but there are some guidelines of integrity I will stick to, regardless of impractical or inconvenient consequence.
God help all developers, small and large (except Adobe
).But mostly the small ones.
And with Nikos' help (as per the blog, and other things), perhaps they can learn to help themselves a little, too.
P.S. If anyone was weird enough to gift me a legal license for Registry Workshop you may have my firstborn son. Really. I'm not mad about kids. Registries, on the other hand, are quite entertaining.
So do I with music.Kilmatead wrote:Personally, I do draw the line at software - tempting though it may be - partially from an ethical appreciation of the work involved (...)
Most music albums I own (legally) have been part of my eMule list long before that, and meanwhile it sums up to x thousand Euros (including stuff that would be available as a legal free download), so je ne regrette rien ... the same with software. "Trial versions" are somewhat crippled ethically. 30 days are not always enough to decide to spend money (or not), nor are 90 days and counting. After Word 97 or so, I never spent any money for software I hadn't "extensively tested" before, even if the trial was enough to decide about it.
If I like something, I will willingly pay for it. If not, the creator will never see a cent of mine. Ethically, you know?
Full ACK. I probably wouldn't use Photoshop if anyone else would pay it for me. Too sluggish, too expensive, too... big. Heck, even Paintshop Pro is more worth the money.Kilmatead wrote:That said, anyone who wants to rip-off Adobe has my full consent, as not only are they too big for their britches, as it were, but (to perpetuate a metaphor) their software is pants
Tux. ; tuxproject.de
registered xplorer² pro user since Oct 2009, ultimated in Mar 2012
registered xplorer² pro user since Oct 2009, ultimated in Mar 2012
I agree, buying software one likes keeps the wheel moving, that's umm 4 applications which I pay for including extended lifetime thingy for X2.
ahem, and now on topic,
I had approx 1000 Vinyl albums, started replacing the vinyl collection with CD's, when I got to 500 I said to myself, "myself what the fvck are you doing paying royalties twice". Why should rich artists and their offspring earn royalties indefinitely ?, engineering patents (which have more value to society) go timex, why not music... bollocks with that, I joined a fantastic music club, gorged myself and sigh contentedly at my sweet revenge. The bastards at the music industry didn't even have the decency to send me a "fvck you" note for paying royalties twice for the same piece of music.
ahem, and now on topic,
I had approx 1000 Vinyl albums, started replacing the vinyl collection with CD's, when I got to 500 I said to myself, "myself what the fvck are you doing paying royalties twice". Why should rich artists and their offspring earn royalties indefinitely ?, engineering patents (which have more value to society) go timex, why not music... bollocks with that, I joined a fantastic music club, gorged myself and sigh contentedly at my sweet revenge. The bastards at the music industry didn't even have the decency to send me a "fvck you" note for paying royalties twice for the same piece of music.
Just counted them up myself, and was surprised to find I actually have 10 separate "paid for" applications (including AV). Ironically, the applications I consider "indispensable" (aside from x2) for everyday use (mostly background taskbar utilities) are actually free open-source anyway. Go figure.dunno wrote:...that's umm 4 applications which I pay for including extended lifetime thingy for X2.
It's difficult for us big kids to lose the habits of a lifetime, wherein our parents would buy us a nice shiny present, and we enjoyed playing with the box it came in more than the object itself.cindysdad wrote:...if there is any correlation between quality, usefulness, and price,,, it is negative correlation.
Seems even x2 has one of these mystical boxes on the website, but I never received mine.
Maybe that's what'll make x2 Ultimate different from us lowly Pro types? Hopefully it'll come in one of those big American-sized refrigerator boxes, so we can reclaim our youth and joy at the same time as we move electrons and photons between our hard drives made in Taiwan.
Getting back to Niko's original subject. That was a great blog. Even though I do not write PC software, I do appreciate what those who do must contend with. And I found Niko's explanation of his solution absolutely fascinating.
I find it amusing that here, in the USA where I live, we do not have universal computerized health records available to and for all patients, because of 'SECURITY' reasons. Perhaps some of our brilliant bureaucrats should buy Nikos lunch sometime. Or even read his blog for free.
Oops, off topic again. Sorry about that.
I find it amusing that here, in the USA where I live, we do not have universal computerized health records available to and for all patients, because of 'SECURITY' reasons. Perhaps some of our brilliant bureaucrats should buy Nikos lunch sometime. Or even read his blog for free.
Oops, off topic again. Sorry about that.
Ah, never apologise for being off-topic - breaking the perception of rules is what liberty is all about. The American fear they nebulously call Security has always been the most efficient way of depriving a populous of its own self interests.
In the case of software, the bad-guy is a little clearer in relief.
The games industry (where the real money is) has been thrashing about wildly in the last few years to find a means that suits its "needs" and (much like the record industry) is failing badly. Ironically they started out (once en-masse distribution got going) using cyphers and keys, but have mostly abandoned such things for the latest in liberty-deprivation like "required full-time on-line connexions" - even the idea alone would put people off it, and indeed the backlash is in full swing.
The implementation of a once-off unbreakable key is one thing, but what happens after it's been accepted by the program? In my little experiment (above) it was all too easy to find key-generators which were quite sophisticated and bespoke in their intent - styled to individual programs, they do effectively produce working keys - which once accepted by the program's registration, are seemingly never "tested" again, except, perhaps, by future versions of the application. In everyday use, even online-registrations requiring legitimate (as in non-gmail/hotmail) addresses and IP's could be faked, as long as it wasn't scrutinized too closely by the vendor. That little "grey area" which allows for the possibility of human error is easily exploited the less personal a company may be.
Even more amusing (at least to me) is that due to an ongoing "misunderstanding" <cough> with the Bankers, my "legitimate" credit card has been snuffed out - so I discovered the interesting world of legal (yet) disposable one-off Visa numbers which are intended for the credit-less in society to participate in Web-Commerce. These things are de-facto untraceable and can be applied for repeatedly under any name you wish to use - as everything is "pre-paid" any "identity" is irrelevant, as the corporation isn't interested in anyone's security once they have their money. Link two or three of these things to a "Verified" Paypal account (or just use Visa itself), and you're good to go. The vendor gets his cash, the transaction is clean, and the job's done. Except... that's where the exploitation comes in - if you're willing to spend some time falsifying records and providing a convincing financial footprint, you'd be surprised how easy it is to convince the girl on the other end of the phone (or email) that your requests for "renewed licenses" are legitimate.
People make the mistake of thinking that most pirated software is just something the punter downloaded from a Chinese site, and equate that with a Neanderthal-level intelligence approach to mugging someone on the street. The real sophistication comes from doing it "legally", wherein the vendor just accepts that a "mistake might have been made" and so in the interests of "good faith" they acquiesce and pass your claim(s), largely based on the presumed "fact" that you were a customer in the first place, as their records show a named credit-card receipt and legit email correspondence addresses - but when the offender has 5 names on 5 legitimate-linked cards, anything is possible.
Basically, that's just to show the flaws in assuming that Nikos' maths can provide a workable long term solution. Play on the human element, and all the encryption in the world becomes irrelevant.
Can't help with your health records, though, unfortunately. That said, maybe I should investigate the world of faked birth-cert's instead, like they do in the movies. Does Cindy, by chance, need a brother? :twisted:
In the case of software, the bad-guy is a little clearer in relief.
The games industry (where the real money is) has been thrashing about wildly in the last few years to find a means that suits its "needs" and (much like the record industry) is failing badly. Ironically they started out (once en-masse distribution got going) using cyphers and keys, but have mostly abandoned such things for the latest in liberty-deprivation like "required full-time on-line connexions" - even the idea alone would put people off it, and indeed the backlash is in full swing.
The implementation of a once-off unbreakable key is one thing, but what happens after it's been accepted by the program? In my little experiment (above) it was all too easy to find key-generators which were quite sophisticated and bespoke in their intent - styled to individual programs, they do effectively produce working keys - which once accepted by the program's registration, are seemingly never "tested" again, except, perhaps, by future versions of the application. In everyday use, even online-registrations requiring legitimate (as in non-gmail/hotmail) addresses and IP's could be faked, as long as it wasn't scrutinized too closely by the vendor. That little "grey area" which allows for the possibility of human error is easily exploited the less personal a company may be.
Even more amusing (at least to me) is that due to an ongoing "misunderstanding" <cough> with the Bankers, my "legitimate" credit card has been snuffed out - so I discovered the interesting world of legal (yet) disposable one-off Visa numbers which are intended for the credit-less in society to participate in Web-Commerce. These things are de-facto untraceable and can be applied for repeatedly under any name you wish to use - as everything is "pre-paid" any "identity" is irrelevant, as the corporation isn't interested in anyone's security once they have their money. Link two or three of these things to a "Verified" Paypal account (or just use Visa itself), and you're good to go. The vendor gets his cash, the transaction is clean, and the job's done. Except... that's where the exploitation comes in - if you're willing to spend some time falsifying records and providing a convincing financial footprint, you'd be surprised how easy it is to convince the girl on the other end of the phone (or email) that your requests for "renewed licenses" are legitimate.
People make the mistake of thinking that most pirated software is just something the punter downloaded from a Chinese site, and equate that with a Neanderthal-level intelligence approach to mugging someone on the street. The real sophistication comes from doing it "legally", wherein the vendor just accepts that a "mistake might have been made" and so in the interests of "good faith" they acquiesce and pass your claim(s), largely based on the presumed "fact" that you were a customer in the first place, as their records show a named credit-card receipt and legit email correspondence addresses - but when the offender has 5 names on 5 legitimate-linked cards, anything is possible.
Basically, that's just to show the flaws in assuming that Nikos' maths can provide a workable long term solution. Play on the human element, and all the encryption in the world becomes irrelevant.
Can't help with your health records, though, unfortunately. That said, maybe I should investigate the world of faked birth-cert's instead, like they do in the movies. Does Cindy, by chance, need a brother? :twisted:
" Play on the human element, and all the encryption in the world becomes irrelevant. " So, remove the human element.
The primary reason the banks and credit card companies don't do a good job with security is that they don't care to. They just accept fraud as another cost of doing business, and pass the cost on to their customers. That is no model that any government should follow. For every crime that goes unpunished, there is inspiration for yet another crook.
The primary reason the banks and credit card companies don't do a good job with security is that they don't care to. They just accept fraud as another cost of doing business, and pass the cost on to their customers. That is no model that any government should follow. For every crime that goes unpunished, there is inspiration for yet another crook.
Or, to turn the obscenity of accepted morality on its head, they are the perpetrators. :shock:cindysdad wrote:The primary reason the banks and credit card companies don't do a good job with security is that they don't care to. They just accept fraud as another cost of doing business, and pass the cost on to their customers.
(Yeah, now that's a bit off-topic, but Nikos started it, and it's still relevant today. Oh, the sins of Novembers past.)
Please don't use the term "uncrackable", but stick with "un-keygennable" - there's a big difference (and you even mention it yourself in the blog post) . Also, un-keygennable isn't necessarily true... ASProtect, which iirc used 2048-bit RSA, was fully keygenned in older versions; iirc the attack vector was that the prng was seeded with from system time, which allowed the crackers to seriously narrow the range of their brute-force attack.
Similarly, the Windows license keys have been using elliptic-curve crypto for a while (that's why they offer strong security even though they only consist of 5x5 digits; ECC requires less bits than RSA to be secure). However, Microsoft made "some mistake" when choosing ECC parameters, and thus 100% working keygens appeared for corporate keys. Unfortunately for the pirates, Microsoft do apparently keep a giant database of all issued corporate keys
Pubkey crypto, whether RSA or ECC or something else, is nice - do a flexible keyfile scheme and digitally sign it, and unless you've screwed up somewhere, you'll be the only one who can generate keys. However, you'll be back to the old "It's only going to take a few byte patches to the executable" problem.
How to handle piracy is a pretty big headache; there's some interesting discussion on it at StackOverflow.[/b]
. Also, un-keygennable isn't necessarily true... ASProtect, which iirc used 2048-bit RSA, was fully keygenned in older versions; iirc the attack vector was that the prng was seeded with from system time, which allowed the crackers to seriously narrow the range of their brute-force attack.Similarly, the Windows license keys have been using elliptic-curve crypto for a while (that's why they offer strong security even though they only consist of 5x5 digits; ECC requires less bits than RSA to be secure). However, Microsoft made "some mistake" when choosing ECC parameters, and thus 100% working keygens appeared for corporate keys. Unfortunately for the pirates, Microsoft do apparently keep a giant database of all issued corporate keys
Pubkey crypto, whether RSA or ECC or something else, is nice - do a flexible keyfile scheme and digitally sign it, and unless you've screwed up somewhere, you'll be the only one who can generate keys. However, you'll be back to the old "It's only going to take a few byte patches to the executable" problem.
How to handle piracy is a pretty big headache; there's some interesting discussion on it at StackOverflow.[/b]
