Full Disclosure mailing list archives
Re: Are software cracks also a form of security vulnerabilities?
From: Travis Biehn <tbiehn () gmail com>
Date: Thu, 17 Jan 2013 08:42:14 -0500
Most licensing systems are toothless except for the ones that offload critical functionality to external components. A) A USB Stick that processes encrypted commands issued by the program. These little things are pretty ingenious, they contain the decryption keys in the USB stick and the program contains encrypted functions. High cost to recover the decryption key and get the routines and they work in offline mode. B) Program logic is carried out server side. Cost to maintain servers, program requires persistent internet connection. Neither of them seem too feasible for a mobile environment, developers have to assume and account for losses due to piracy just like in any other medium. That being said nobody is preventing you from responsibly disclosing licensing issues to a vendor and recommending a more robust approach. One such case is if a vendor was to use a license.dat file stored in open storage, easily copied and shared. You might also warn a vendor with un-obfuscated binaries which make it excessively easy to bypass validation routines. Of course the impetus is on the vendor, as usual, to make a correction. In the context of licensing the damage is to the IP holder not the consumer. Outside of the licensing there are a number of areas where an unobfuscated binary or improper data handling could hurt end-users. -Travis On Thu, Jan 17, 2013 at 8:31 AM, COPiOUS <copious () hushmail com> wrote:
Yes, I know - lets say that someone who isn't me is an experienced software and hardware reverse engineer. But the cracking scene is often surrounded with a dirty smell of piracy, leaving the real interest (research in software "vulnerabilities") often obfuscated. Let's say that someone who isn't me has found obvious risks in licensing systems of certain vendors, does this also account as vulnerabilities, since licensing issues mostly don't really account customers directly, but pose a risk for the software manufacturer. COPiOUS On 17-1-2013 at 2:11 PM, "Travis Biehn" <tbiehn () gmail com> wrote:COPiOUS, The best you can do is obfuscate your binaries to the point where it keeps out the least skilled attackers, beyond that it's unreasonable to expect your binaries will stay un-modifiable or resist examination at all. The best I can recommend is that if you have logic that you don't want compromised or if there's a pay-application to host most of the logic on your server; providing license verification there. -Travis On Thu, Jan 17, 2013 at 4:20 AM, COPiOUS <copious () hushmail com> wrote:Hello, First of all, the question is in the subject. Should say enough. In my opinion they are, since a software crack allowsunauthorized use ofsoftware and the exposure of (possible) trade secrets, but Iwant to knowhow other people think about this. Also, by cracking softwarepackages,other issues pop up quite often - quite a lot of applicationsaren'ttamper-proof. But does "not tamper-proof" mean that the softwareis flawed?Since we're moving to a smartphone/app-centric world,application security(and especially mobile application security) is an importanttopic, sincemany developers think that a walled garden is safe. It's notbecause youcan't get out, that others can't get in. COPiOUS _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Twitter <https://twitter.com/tbiehn> | LinkedIn<http://www.linkedin.com/in/travisbiehn>| GitHub <http://github.com/tbiehn> | TravisBiehn.com<http://www.travisbiehn.com>
-- Twitter <https://twitter.com/tbiehn> | LinkedIn<http://www.linkedin.com/in/travisbiehn>| GitHub <http://github.com/tbiehn> | TravisBiehn.com<http://www.travisbiehn.com>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Are software cracks also a form of security vulnerabilities? COPiOUS (Jan 17)
- Message not available
- Message not available
- Re: Are software cracks also a form of security vulnerabilities? Travis Biehn (Jan 17)
- Message not available
- Message not available
- Re: Are software cracks also a form of security vulnerabilities? Benji (Jan 17)
- Re: Are software cracks also a form of security vulnerabilities? Scott Herbert (Jan 17)
- Re: [Full-disclosure] Are software cracks also a form of security vulnerabilities? sxpert (Jan 18)