How to password protect files on distribution CD

How to password protect files on distribution CD

Post by Theo de Raad » Sat, 29 Jan 2000 04:00:00




> We have developed some software and we want to ship them on CD
> in encrypted form to our customers. Then we want to give them some keys
> to decrypt the software. We should be able to generate the passwords
> for our customers. We might want to put further restrictions on
> encryption and authorization in the future but not now.

> What software do I need to use for this? If this is irrelevant to this
> group, please point me to the correct one.

Consider using CSS.

Just kidding; sorry, I had to, I couldn't resist!

--

Open Source means some restrictions apply, limits are placed, often quite
severe. Free Software has _no_ serious restrictions.  OpenBSD is Free Software.

 
 
 

How to password protect files on distribution CD

Post by GJJ » Sat, 29 Jan 2000 04:00:00


I always see a number of ads in the monthly "Software Development"
magazine (http://www.sdmagazine.com). Here are a few:

Crypkey Copy Protection and License Control

Kenonic Controls Ltd., Calgary, Canada
(403) 258-6200 Fax: (403) 258-6201
http://www.crypkey.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WIBU-KEY - The high quality protection system for high quality software

North America:
Griffin Technologies, LLC
(800) 986-6578 FAX: (785) 832-8787
http://www.griftech.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HASP - NSTL tried and tested! Does more than protect your software.

Aladdin Knowledge Systems Inc.
(800) 223-4277 (212) 564-5678 FAX: (212) 564-3377
http://aks.com/swdev

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Ultimate Software Security (i.e. STOPCOPY family, STOPVIEW,
NETLIMIT)

BBI Computer Systems, Inc.
(800) TRY-ABBI (301) 871-1094 FAX: (301) 460-7545
http://www.bbics.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sentinel products for electronic license distribution, anti-piracy

Rainbow Technologies
(949) 450-7300 (800) 852-8569 FAX: (949) 450-7450
http://www.rainbow.com

______________________________________________________________

BTW - I have no personal or professional interests in the above
companies and have not tried any of their products so I can't vouch for
them...

HTH.

GJJ

* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!

 
 
 

How to password protect files on distribution CD

Post by Johnny Brav » Sat, 29 Jan 2000 04:00:00


On Fri, 28 Jan 2000 18:02:17 -0800, GJJ


>BTW - I have no personal or professional interests in the above
>companies and have not tried any of their products so I can't vouch for
>them...

  I can; copy protection can't.
  There is no possible copy protection that can't be recopied or bypassed.
If nothing else than by distributing the encrypted files with a valid
decryption key.  For those silly schemes where the customer's name is used
to make an encryption key, a key generator is easy enough to reverse
engineer as the program has to take the customer name, compute the same
key to compare it against the entry.  Anything the computer can do, a
cracker can duplicate, then put it into a program that does the same
calculations and generates the keys.
  For larger and more complicated programs, for some it will be worth the
cost to purchase a bound manual and tech support.  Some companies are
offering an outstanding product for free and making money of the support,
ala Sun Systems and the massive package Star Office.

  Best Wishes,
    Johnny Bravo

 
 
 

How to password protect files on distribution CD

Post by zir.. » Sun, 30 Jan 2000 04:00:00


Hi

We have developed some software and we want to ship them on CD
in encrypted form to our customers. Then we want to give them some keys
to decrypt the software. We should be able to generate the passwords
for our customers. We might want to put further restrictions on
encryption and authorization in the future but not now.

What software do I need to use for this? If this is irrelevant to this
group, please point me to the correct one.

Thank you
ZZ

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

How to password protect files on distribution CD

Post by Dave Mun » Sun, 30 Jan 2000 04:00:00


        I concur.  Hence the reason that SOME companies resort to the
hardware solution of a "dongle", a hardware key that hangs off the
parallel port and is queried by the software to see if it can run.  
     These things are an adequate solution, but, inconvenient for the
user, and, are guarenteed to shut them down when damaged.  Also,
although the technology workes pretty well now, there can be conflicts
that make it hard to print through these devices.
        I wonder, though, WHY you think this is necessary?  It would be
much simpler to distribute the software, and, like most other software
packages, require a license number to be entered before it can install
or run.
        Seems to work for Microsoft well enough...
        Regards
        Dave Mundt


>On Fri, 28 Jan 2000 18:02:17 -0800, GJJ

>>BTW - I have no personal or professional interests in the above
>>companies and have not tried any of their products so I can't vouch for
>>them...

>  I can; copy protection can't.
>  There is no possible copy protection that can't be recopied or bypassed.
>If nothing else than by distributing the encrypted files with a valid
>decryption key.  For those silly schemes where the customer's name is used
>to make an encryption key, a key generator is easy enough to reverse
>engineer as the program has to take the customer name, compute the same
>key to compare it against the entry.  Anything the computer can do, a
>cracker can duplicate, then put it into a program that does the same
>calculations and generates the keys.
>  For larger and more complicated programs, for some it will be worth the
>cost to purchase a bound manual and tech support.  Some companies are
>offering an outstanding product for free and making money of the support,
>ala Sun Systems and the massive package Star Office.

>  Best Wishes,
>    Johnny Bravo

Remove the "REMOVE_THIS_" from my email address to get to me...
I hate Cullers who gather from newsgroups

Visit my home page at http://www.esper.com/xvart/index.html

 
 
 

How to password protect files on distribution CD

Post by John Sava » Sun, 30 Jan 2000 04:00:00



Quote:>We have developed some software and we want to ship them on CD
>in encrypted form to our customers. Then we want to give them some keys
>to decrypt the software. We should be able to generate the passwords
>for our customers. We might want to put further restrictions on
>encryption and authorization in the future but not now.
>What software do I need to use for this? If this is irrelevant to this
>group, please point me to the correct one.

The basic idea is that while the program on the CD-Rom is encrypted
with one, fixed key, you can generate a key for an individual customer
which, when combined with a serial number, or the customer's name,
yields the required decryption key.

This means that if the security program also on the CD-Rom is not
disassembled, a customer would have to give away two pieces of
information to let someone else use a copy of the CD-Rom, one of which
would identify the customer.

Unfortunately, disassembling programs is much easier than cracking
encryption, so the level of security you can achieve this way is
somewhat limited.

John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html

 
 
 

How to password protect files on distribution CD

Post by Vernon Schryv » Sun, 30 Jan 2000 04:00:00




>    I wonder, though, WHY you think this is necessary?  It would be
>much simpler to distribute the software, and, like most other software
>packages, require a license number to be entered before it can install
>or run.

>    Seems to work for Microsoft well enough...

As far as I can tell from accidentally using the wrong CDROM, every
Microsoft license numbers work for every CDROM of a given version of a
product.  The continued screaming and crying from Microsoft about the
oriental pirates and other warez vendors, and the continual changes in
the Microsoft number certificates suggests that Microsoft is not entirely
happy with whatever they're doing.

There is no useful difference between a "license number to be entered"
and a "password."  As has been said, all conceivable copy protection
schemes are easy to break.  Any licensing scheme is merely a failure to
work without some trivial hardware or without some input.  Breaking any
license is at most a matter of debugging a binary without source.  That
is within the expected and required daily competence of zillions of
programmers.  No one with a clue hopes for hard to break, not to mention
unbreakable licensing.

All licensing has two rational purposes.  The first is to encourage honest
customers to pay for the software.  If breaking the copy protection scheme
is expensive (requires lots of programmer time), and if other things such
as good customer support come with a license, customers worth having will
buy a license.  Other customers aren't worth having and generally don't
matter.

The second is to provide prima facie evidence of evil intent in court.
If a user of protected software doesn't have a password, then the user
must have intentionally violated the terms of the license by which the
user obtained the software (and I don't mean shrink wrap nonsense).  If
a per copy license is required, then extra working copies were not made
accidentally.

I do not understand why people buy dongles, other than being suckers.
Modern computers have more than enough unique bits to generate a globally
unique signature that can be used instead of a value from a dongle.
Since most computers or at least applications need to keep time, it is
easy to use the unique signature of a computer to generate a license
that enables only part of an application or for a limited time.  Some
dongles have encrypted read/write storage, but computers have more.

Today, no rocket science is required to do everything a dongle can do
purely with software...well, except for working around MicroStupid
software that hides handy things like Ethernet addresses when stupid,
amazingly insecure braindead protocols like NetBUI are turned off.


 
 
 

How to password protect files on distribution CD

Post by John E. Kuslic » Sun, 30 Jan 2000 04:00:00


I concur.

If you read the writings of +ORC and his ilk, you will soon discover
that the goal cannot be achieved.  What ca be done in software can be
un-done in software!  Even the much touted dongles have been cracked.

Resistance is futile, give up.

JK


> On Fri, 28 Jan 2000 18:02:17 -0800, GJJ

> >BTW - I have no personal or professional interests in the above
> >companies and have not tried any of their products so I can't vouch for
> >them...

>   I can; copy protection can't.
>   There is no possible copy protection that can't be recopied or bypassed.
> If nothing else than by distributing the encrypted files with a valid
> decryption key.  For those silly schemes where the customer's name is used
> to make an encryption key, a key generator is easy enough to reverse
> engineer as the program has to take the customer name, compute the same
> key to compare it against the entry.  Anything the computer can do, a
> cracker can duplicate, then put it into a program that does the same
> calculations and generates the keys.
>   For larger and more complicated programs, for some it will be worth the
> cost to purchase a bound manual and tech support.  Some companies are
> offering an outstanding product for free and making money of the support,
> ala Sun Systems and the massive package Star Office.

>   Best Wishes,
>     Johnny Bravo

--
John E. Kuslich
Password Recovery Software
CRAK Software
http://www.crak.com
 
 
 

How to password protect files on distribution CD

Post by John E. Kuslic » Sun, 30 Jan 2000 04:00:00


Dongles are routinely cracked.  If you search the Net you will discover
how.

Likewise, security codes are only a defense against the software
challenged.

We use these codes but must change them constantly to keep up with the
crackers.  

There are some obfuscation techniques that will defeat the most often
used cracking techniques under Windows but a good cracker will
eventually see his way around them.

JK

--
John E. Kuslich
Password Recovery Software
CRAK Software
http://www.crak.com


>         I concur.  Hence the reason that SOME companies resort to the
> hardware solution of a "dongle", a hardware key that hangs off the
> parallel port and is queried by the software to see if it can run.
>      These things are an adequate solution, but, inconvenient for the
> user, and, are guarenteed to shut them down when damaged.  Also,
> although the technology workes pretty well now, there can be conflicts
> that make it hard to print through these devices.
>         I wonder, though, WHY you think this is necessary?  It would be
> much simpler to distribute the software, and, like most other software
> packages, require a license number to be entered before it can install
> or run.
>         Seems to work for Microsoft well enough...
>         Regards
>         Dave Mundt


> >On Fri, 28 Jan 2000 18:02:17 -0800, GJJ

> >>BTW - I have no personal or professional interests in the above
> >>companies and have not tried any of their products so I can't vouch for
> >>them...

> >  I can; copy protection can't.
> >  There is no possible copy protection that can't be recopied or bypassed.
> >If nothing else than by distributing the encrypted files with a valid
> >decryption key.  For those silly schemes where the customer's name is used
> >to make an encryption key, a key generator is easy enough to reverse
> >engineer as the program has to take the customer name, compute the same
> >key to compare it against the entry.  Anything the computer can do, a
> >cracker can duplicate, then put it into a program that does the same
> >calculations and generates the keys.
> >  For larger and more complicated programs, for some it will be worth the
> >cost to purchase a bound manual and tech support.  Some companies are
> >offering an outstanding product for free and making money of the support,
> >ala Sun Systems and the massive package Star Office.

> >  Best Wishes,
> >    Johnny Bravo

> Remove the "REMOVE_THIS_" from my email address to get to me...
> I hate Cullers who gather from newsgroups

> Visit my home page at http://www.esper.com/xvart/index.html

 
 
 

How to password protect files on distribution CD

Post by Dave Mun » Mon, 31 Jan 2000 04:00:00


*snip*

Quote:>Also, nobody has come up with a dongle-protection scheme yet that
>can't be cracked. You'll find a long list of cracks for
>"dongle-protected" programs in the crack groups. It's just a big scam
>by the sleazy copy-protection companies who claim that their schemes
>are "absolutely impervious" to cracking even though widely-known
>cracks  have been around for years.

        This is true.  The fact of the matter is that NO encryption scheme
is totally impervious to attack.  However, the point is, of course, to
make it simpler for the average user to bite the bullet, whine and pay
the cost of the dongle.

Quote:>This thread may have gotten off on a tangent. I don't think the
>original question was about software copy-protection so much as a way
>to password-protect general data. Since this is a commercial use, PGP
>would require payment while the GNU version would still be free. If
>we're talking strictly Windows 9x systems (not Windows 2000 or NT)
>then scramdisk might also be a good solution (see
>comp.security.scramdisk).

        This is a reasonable point.   However, the original post DOES talk
about shipping software out in encrypted form, so only a given
customer could use it.  They also imply that they want to do something
like sending out a software package with many functions (say, G/L,
Inventory, payroll, etc) and control the end user's access to any
given set of function by the license number/password assigned to the
user.
        Your suggested solutions are quite valid though, and, would
probably meet the needs of the user.  
        Frankly, it is a shame that folks WILL use software without paying
for it.  I think mIRC is a good example...I understand that they have
just had their 10,000th registration...after something like 18 MILLION
downloads.  Of course, this is not to say that there are 18 million
USERS of mIRC not paying for it...Shucks, I have d/l it several times,
but, don't use it (too much noise)  However, I have recommended it to
a number of folks, though.
        Regards
        Dave Mundt

Remove the "REMOVE_THIS_" from my email address to get to me...
I hate Cullers who gather from newsgroups

Visit my home page at http://www.esper.com/xvart/index.html

 
 
 

How to password protect files on distribution CD

Post by Chris Ada » Mon, 31 Jan 2000 04:00:00




Quote:>>can't be cracked. You'll find a long list of cracks for
>>"dongle-protected" programs in the crack groups. It's just a big scam
>>by the sleazy copy-protection companies who claim that their schemes
>>are "absolutely impervious" to cracking even though widely-known
>>cracks  have been around for years.

>    This is true.  The fact of the matter is that NO encryption scheme
>is totally impervious to attack.  However, the point is, of course, to
>make it simpler for the average user to bite the bullet, whine and pay
>the cost of the dongle.

Dongles seem to be the easiest way to annoy your users and guarantee strong
demand for either cracks or a competing product. Frankly, I wish software
vendors would accept the fact that you cannot prevent the dishonest people from
being dishonest and the honest ones will pay you anyway. Copy-protection is
just a massive waste of resources, particularly as the time spent developing or
installing the snake-o^W^Wfoolproof copy-protection scheme is usually dwarfed
by the support time spent when it fails to work properly..
 
 
 

How to password protect files on distribution CD

Post by Dave How » Mon, 31 Jan 2000 04:00:00


In our last episode (<alt.security.pgp>[Sun, 30 Jan 2000 02:07:24

Quote:>    This is true.  The fact of the matter is that NO encryption scheme
>is totally impervious to attack.  However, the point is, of course, to
>make it simpler for the average user to bite the bullet, whine and pay
>the cost of the dongle.

  Hmm. I don't know about the average user, but it is not THAT unusual
for me to buy the full, legal copy, but use the crack anyhow - I have
external parallel-port devices (CDR writer and scanner) that don't
like having the dongle there, and then there is the risk of physical
damage to my parallel port from sheer weight of dongles. If I ever get
raided (not much chance) I have box, original CD, dongle and receipt
to show them - I can't see myself in violation of anything but the
click-install licence, and they aren't enforcable in .uk....
  Moreover,  the "I will fully install, but will require the CD in the
drive to use me" thing sucks. It's ok for games (I am only doing ONE
thing then, playing games, and want as much junk kept there and not on
my HD as possible) but if I want to use two or three editing packages
on the same files, the cd-rom swapping gets tedious (and I can't use
my external drive if I want to use the scanner)
  I don't mind the "personalised key" approach of mIRC and similar
packages though - it's *my* key, so having *my* name on it is no
problem.
Quote:

>    This is a reasonable point.   However, the original post DOES talk
>about shipping software out in encrypted form, so only a given
>customer could use it.  They also imply that they want to do something
>like sending out a software package with many functions (say, G/L,
>Inventory, payroll, etc) and control the end user's access to any
>given set of function by the license number/password assigned to the
>user.

  I'm not sure which way this swings. It is feasable to send out
individually-written Scramdisk CDs, each with a unique key, but unless
they only need mounting *once* (for an install) then that would get
pretty old very quickly, and I don't know how Aman feels about
commercial use - I suspect a fee would be involved.
  In addition, is is possible to use the "unique" GID of each machine
to hash the key, and write a custom mount utility to use a
scramdisk... but I would suggest it would be simpler to add a decent
encryption to a copy of zip, and do similarly. I'm busy adding CAST to
a copy of zip as I type this :+)

Quote:>    Your suggested solutions are quite valid though, and, would
>probably meet the needs of the user.  
>    Frankly, it is a shame that folks WILL use software without paying
>for it.  I think mIRC is a good example...I understand that they have
>just had their 10,000th registration...after something like 18 MILLION
>downloads.  Of course, this is not to say that there are 18 million
>USERS of mIRC not paying for it...Shucks, I have d/l it several times,
>but, don't use it (too much noise)  However, I have recommended it to
>a number of folks, though.

however, the relationship between downloads and registrations doesn't
hold, even for those who ARE registered. I have a valid key for mIRC
as I like the software and wanted to support it (and will also be
first in the queue for SD3) but must have downloaded eight or nine
copies by now - I have been using it for a while, and updates are
sufficiently common that I have used the same key on at least four
versions - and downloaded a couple while I was still deciding which
IRC client to go with.
 
 
 

How to password protect files on distribution CD

Post by Bill » Mon, 31 Jan 2000 04:00:00



in comp.security.unix :

>In our last episode (<alt.security.pgp>[Sun, 30 Jan 2000 02:07:24

>>        This is true.  The fact of the matter is that NO encryption scheme
>>is totally impervious to attack.  However, the point is, of course, to
>>make it simpler for the average user to bite the bullet, whine and pay
>>the cost of the dongle.
>  Hmm. I don't know about the average user, but it is not THAT unusual
>for me to buy the full, legal copy, but use the crack anyhow - I have
>external parallel-port devices (CDR writer and scanner) that don't
>like having the dongle there, and then there is the risk of physical
>damage to my parallel port from sheer weight of dongles. If I ever get
>raided (not much chance) I have box, original CD, dongle and receipt
>to show them - I can't see myself in violation of anything but the
>click-install licence, and they aren't enforcable in .uk....

<snip>

I've wondered recently, what is the cost of some decent-speed DES
hardware?  Because, one would make a hell of a dongle.  Have the
program call the hardware to do vital parts of the code, and make the
hardware fast enough that the calls can be big enough to make the
program really *ing cumbersome to use without it.  Added to
real-time editing software, or something like that, it may be hard to
crack.

--
Bill "Houdini" Weiss

--
11th commandment - Covet not thy neighbor's Pentium.

 
 
 

How to password protect files on distribution CD

Post by Chris Ada » Tue, 01 Feb 2000 04:00:00




Quote:>I've wondered recently, what is the cost of some decent-speed DES
>hardware?  Because, one would make a hell of a dongle.  Have the
>program call the hardware to do vital parts of the code, and make the
>hardware fast enough that the calls can be big enough to make the
>program really *ing cumbersome to use without it.  Added to

Or, look at it another way: build a hardware accelerator so that your program
is not only inseparable from the hardware but faster as well, thus giving your
*customers* a reason to buy it. Done right, the "dongle" becomes a major
feature.
 
 
 

How to password protect files on distribution CD

Post by Johnny Brav » Tue, 01 Feb 2000 04:00:00


On Sun, 30 Jan 2000 23:37:14 -0700, "Bill \"Houdini\" Weiss"


>I've wondered recently, what is the cost of some decent-speed DES
>hardware?  Because, one would make a hell of a dongle.  Have the
>program call the hardware to do vital parts of the code, and make the
>hardware fast enough that the calls can be big enough to make the
>program really *ing cumbersome to use without it.

  Unless your software does DES encryption, what would DES chips have to
do with the software?

  Best Wishes,
    Johnny Bravo

 
 
 

1. Protect files with password ... without the password

Hello,

I am looking for a UNIX utility that would work with all of
the major versions of UNIX (DEC Alpha, IBM, HPUX, Sun), that
would allow me to do the following:

We need to distribute source code of our application to be
compiled on the installation machine. We want to be able to
compress/tar the source with a password. On the installation
machine we want to have a script that reads through the tar/
compressed file, using the password that is built into the script
(preferably, something that users cannot get to), extracts
programs one at a time, compiles them, and deletes source.

So far we have been using compress/tar, and had our people
telnet to the UNIX server of the installation, untar, uncompress
the programs, compile them and remove -- all by hand.

Is there some utility that would allow us to package the
programs on our end, ship them over to the installation sites and
allow customers to run them, without knowing the password?

Any help will be greatly appreciated. Thank you in advance.

Alex

2. Netscape Nav 3.01 on UW, ftp

3. Password protect distribution libraries

4. How to read and process a big text file with sh?

5. Trivial: read-protected files in kernel tar distribution

6. Bootp code for 2.2.4 kernels

7. Password CGI: Add links within a password protected area

8. AWE-64 & RedHat 5.1 trouble

9. password protecting ind. files?

10. unzipping password protected zip file

11. prompt for password on protected file

12. password protected zip file

13. Apache newbie question -- Password protect a file.