[extropy-chat] FWD (SK) RFC: copy protection report

Adrian Tymes wingcat at pacbell.net
Thu Dec 1 18:24:19 UTC 2005


--- Eugen Leitl <eugen at leitl.org> wrote:
> On Thu, Dec 01, 2005 at 09:24:12AM -0800, Adrian Tymes wrote:
> > And even then, expect to be cracked eventually.  The fundamental
> > problem is, your software is operating on the user's computer,
> which is
> 
> Assuming, it's not palladium-plated, or nagscabbed.

There are ways to remove these things.

> The XBox
> key was only snarfed because bus traffic was in clear. If
> the lane between CPU and chipset is encrypted, or if the key
> resides within the CPU itself and executes cypher the 
> user never sees plain in the first place.

Hacker: "Ooh!  A *challenge*!"
(a short while later)
Hacker: "Okay, kiddies, here's how you get the cypher..."

One can also open up the CPU itself (or maybe the chipset), with the
right tools.

> Of course this means "your" computer is no longer yours, and
> by default doesn't trust you and keeps secrets from you. 
> I'm sure they'll try selling you real estate in Brooklyn, next.

True.  As has been pointed out, various executives at major vendors
like Microsoft and Intel keep trying to push this and then having to
back off when (almost never if) it degenerates into a public relations
fiasco (minor or, occasionally, major).

> Don't act too paranoid, but they're changing it *right now*.

Of course.  That's why this thread exists right now: someone's boss is
trying to implement this right now, and our friend seeks
counter-arguments to stop that right now.

> No, I would just let the installer pull a critical part of the
> code from a remote server after authentication. Easy, and pretty
> difficult to defeat.

Nope.  Just get one legit install, then pull that critical part of the
code onto others.

> Extra points for computing a hardware
> fingerprint,
> and generate that code server-side as-u-wait (works especially well 
> for firmware).

Compare two installs.  See where they differ.  That's where the
fingerprint lies.  Figure how to generate the fingerprint, and you've
got infinitely many installs.  (And, what if the user changes their
hardware?  They expect it to still work, and may be motivated to change
to your competitor if, say, swapping hard drives once a drive breaks
invalidates the fingerprint and requires purchasing another install.)

> You wrote the application in the first place. Why do you need an 
> expert for online unlockin? A child of ten could program it.

Am expert for unlocking, period.  A child of ten would put it in a
separate subroutine, where it can simply be removed from the rest of
the code (or altered to return whatever the value for "authorized" is)
by any user with a hex editor.



More information about the extropy-chat mailing list