lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAKtE3zfndZUi3XEtGJo-6VDk=mBoRznkhEaB3Jy5tRFJWv8P6w@mail.gmail.com>
Date: Thu, 17 Jan 2013 08:42:14 -0500
From: Travis Biehn <tbiehn@...il.com>
To: COPiOUS <copious@...hmail.com>, 
	full-disclosure <Full-Disclosure@...ts.grok.org.uk>
Subject: Re: Are software cracks also a form of security
	vulnerabilities?

Most licensing systems are toothless except for the ones that offload
critical functionality to external components.
A) A USB Stick that processes encrypted commands issued by the program.
These little things are pretty ingenious, they contain the decryption keys
in the USB stick and the program contains encrypted functions. High cost to
recover the decryption key and get the routines and they work in offline
mode.
B) Program logic is carried out server side. Cost to maintain servers,
program requires persistent internet connection.

Neither of them seem too feasible for a mobile environment, developers have
to assume and account for losses due to piracy just like in any other
medium.

That being said nobody is preventing you from responsibly disclosing
licensing issues to a vendor and recommending a more robust approach. One
such case is if a vendor was to use a license.dat file stored in open
storage, easily copied and shared. You might also warn a vendor with
un-obfuscated binaries which make it excessively easy to bypass validation
routines.

Of course the impetus is on the vendor, as usual, to make a correction. In
the context of licensing the damage is to the IP holder not the consumer.
Outside of the licensing there are a number of areas where an unobfuscated
binary or improper data handling could hurt end-users.

-Travis


On Thu, Jan 17, 2013 at 8:31 AM, COPiOUS <copious@...hmail.com> wrote:

> Yes, I know - lets say that someone who isn't me is an experienced
> software and hardware
>  reverse engineer.
>
> But the cracking scene is often surrounded with a dirty smell of piracy,
> leaving the real interest (research
>  in software "vulnerabilities") often obfuscated.
>
> Let's say that someone who isn't me has found obvious risks in licensing
> systems of certain vendors,
>  does this also account as vulnerabilities, since licensing issues mostly
> don't really account customers
> directly, but pose a risk for the software manufacturer.
>
> COPiOUS
>
> On 17-1-2013 at 2:11 PM, "Travis Biehn" <tbiehn@...il.com> wrote:
> >
> >COPiOUS,
> >The best you can do is obfuscate your binaries to the point where
> >it keeps
> >out the least skilled attackers, beyond that it's unreasonable to
> >expect
> >your binaries will stay un-modifiable or resist examination at all.
> >
> >The best I can recommend is that if you have logic that you don't
> >want compromised or if there's a pay-application to host most of
> >the logic
> >on your server; providing license verification there.
> >
> >-Travis
> >
> >
> >On Thu, Jan 17, 2013 at 4:20 AM, COPiOUS <copious@...hmail.com>
> >wrote:
> >
> >> Hello,
> >>
> >> First of all, the question is in the subject. Should say enough.
> >>
> >> In my opinion they are, since a software crack allows
> >unauthorized use of
> >> software and the exposure of (possible) trade secrets, but I
> >want to know
> >> how other people think about this. Also, by cracking software
> >packages,
> >> other issues pop up quite often - quite a lot of applications
> >aren't
> >> tamper-proof. But does "not tamper-proof" mean that the software
> >is flawed?
> >>
> >> Since we're moving to a smartphone/app-centric world,
> >application security
> >> (and especially mobile application security) is an important
> >topic, since
> >> many developers think that a walled garden is safe. It's not
> >because you
> >> can't get out, that others can't get in.
> >>
> >> COPiOUS
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> >
> >--
> >Twitter <https://twitter.com/tbiehn> |
> >LinkedIn<http://www.linkedin.com/in/travisbiehn>|
> >GitHub <http://github.com/tbiehn> |
> >TravisBiehn.com<http://www.travisbiehn.com>
>
>


-- 
Twitter <https://twitter.com/tbiehn> |
LinkedIn<http://www.linkedin.com/in/travisbiehn>|
GitHub <http://github.com/tbiehn> | TravisBiehn.com<http://www.travisbiehn.com>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ