Re: Software authentication (was RE: Gibson (was Crack Office XP))

[J Edgar Hoover <zorch () totally righteous net>]

On Wed, 13 Jun 2001, Mark Collins wrote:

> I think it's due to the current underground culture. As the traditional
> crackers went pro (many of the people who cracked games now work in the games
> industry), the new breed didn't understand how to do the more complex
> cracking (reverse engineering the copy protection). Instead, they focused on
> generating serial numbers.
>
> Call it a degradation of skills over time, if you will.

Hi there, this is Earth calling. What planet are you from?

> If the authentication server is hardcoded and obfuscated, it would be be
> nearly impossible to change it.

"hardcoded" means you can't change it? Or does "obfuscation" make it
"nearly impossible"?

> Some serious hacking of the TCP stack would be in order (if it addresses the
> auth server by IP only), and I'd expect most people who are capable of such
> would either a) be white-hat or b) be too 'leet to release it.

On earth, we have discovered the magic of ifconfig and the hosts file.

> There was a recent discussion about this on the Linux Game Developer list.
> Having 2 copies of the auth key, one which is MD5 encoded and well hidden
> would make changing the addresses pretty tough.

Hide it on the hard drive, nobody will ever look there.

> Mark 'Nurgle' Collins
> ===
> Lead Author - Linux Game Programming

Scary.

It is trivial to spoof WON auth for a HalfLife server (or client). There
are also several ways to execute instructions on either a server or client
remotely.

The security of most network games is poor. The combination of closed
source and clueless network code is truely dangerous.

Please, if you are producing network games, have them audited by a
security professional.

zorch