Please take me out from your mailing list! I did not subscribe to any of these.
[EMAIL PROTECTED] --- Dain Sundstrom <[EMAIL PROTECTED]> wrote: >I remember seeing a vm that used an encrypted class code loader, but >even the vendor said that one could at the OS level rape the vm of the >loaded byte code. I am sure that most app servers wouldn't work with it >as most use a custom class loader. > >-dain > >Coetmeur, Alain wrote: > >> I agree, but this is why >> I told about the need to >> obfuscate the whole code to protect the >> CA certificate and the code around... >> >> and why I've said it was probably useless overkill, >> since it is very hard to avoid code to be >> read , and to protect data that are >> used internally in the virtual or real machine. >> morever even if the code and data are really protected, >> the environment around can fake the fact to >> be the good machine... at the price of horrible hack >> in the engine (change the gethostname and alike)... >> >> >> in fact the need is only to protect from >> easy attacks (copy and drop), >> since hard attacks are never put >> "in production" in serious corp >> which can pay the product... >> >> and since the problem for commercial >> software vendors is to make people who can pay, to >> pay, there are no advantage to restrict software usage >> for people who will never pay. >> >> but it is a philosophical and sociologic problem... >> >> technically the problem is: >> what level of competence is needed to hack my protection? >> >> with a simple system of site certicicate >> and embedded CA, a good developer with a disassembler is enough... >> >> if the certificate and the code are obfuscated, >> either you need some one able to change the >> appserver internals, and by the way find what to fake, >> ... >> if the parameters used cannot be faked, someone >> able to hack th JAVA VM could do the job. >> >> This risks may be important to analyse for >> financial transaction security, privacy protection, >> or secrecy, but not just for >> software licensing. >> >> >> >> >>>-----Message d'origine----- >>>De: Dain Sundstrom [mailto:[EMAIL PROTECTED]] >>>Date: jeudi 21 février 2002 16:29 >>>À: Coetmeur, Alain >>>Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] >>>Objet: Re: [JBoss-user] Copy protection >>> >>> >>>You really don't understand the basic theory of cryptography, which >>>assumes you have a trusted source and a trusted sink. The >>>source and >>>sink are people not machines. For example the movie industry >>>believed >>>that DVD copy protection was unbreakable, because they controlled the >>>sink software. As everyone knows they were wrong. As Bruce >>>Schneier >>>said "you can't protect bits". >>> >>>-dain >>> >>>Coetmeur, Alain wrote: >>> >>> >>>>one way is to use >>>>a public key protocol to check for right to execute >>>> >>>>maybe a privatekey can also be enough. >>>> >>>>an example could be: >>>> >>>>a key component of your EAR looks >>>>at the server name, and check >>>>if it is coherent with a certificate >>>>it has in it's keystore. >>>> >>>>you can create a certificate for each of your licensee, >>>>and deliver them in the EAR as a ressource >>>>(this mean you have to add it to your keystore >>>>in the program), or as a separate certificate >>>>to add to the java keystore... >>>> >>>>by the way to check that the certificate is >>>>your own, you should also embedd a (sub)CA certificate >>>>in your application, so that the user cannot change it. >>>>why not the text version of the certificate as a string... >>>>then load it in your java key store, >>>>and check the certificate that is deployed somewhere >>>>if it is >>>>1- signed by the CA >>>>2- having a name coherent with the server name. >>>> >>>>beside that, you should obscurate the java classes >>>>to avoid the smarters to hack your system... >>>>but is it your interest ? >>>>to avoid copy/paste license violation can be enough >>>>and hackers won't be frequent in serious organisations... >>>> >>>>If JSSE/JCE froml sun is not enough flexible >>>>try cryptix JCE which should use PKCS key storage formats... >>>> >>>>If it works, and if you want your solution to be maintained >>>> >>>for free, put >>> >>>>yout license system opensource ! >>>> >>>>It looks a little perverse but it could be usefull >>>>to explain that license respect and opensource are not oposite. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>-----Message d'origine----- >>>>>De: Leigh Wanstead [mailto:[EMAIL PROTECTED]] >>>>>Date: jeudi 21 février 2002 03:59 >>>>>À: [EMAIL PROTECTED] >>>>>Objet: [JBoss-user] Copy protection >>>>> >>>>> >>>>>Hello everyone, >>>>> >>>>>I am not sure if this is a correct place to ask. Anyway, here is the >>>>>question. >>>>> >>>>>How to protect your ear files? I mean if you deploy ear into >>>>>application >>>>>server, how you prevent others simply copy this ear to >>>>>another application >>>>>server? What 3rd party tools would you recommend? >>>>> >>>>>Thanks in advance. >>>>> >>>>>Best Regards >>>>>Leigh >>>>> >>>>> >>>>> >>>>>_______________________________________________ >>>>>JBoss-user mailing list >>>>>[EMAIL PROTECTED] >>>>>https://lists.sourceforge.net/lists/listinfo/jboss-user >>>>> >>>>> >>>>> >>>>_______________________________________________ >>>>JBoss-user mailing list >>>>[EMAIL PROTECTED] >>>>https://lists.sourceforge.net/lists/listinfo/jboss-user >>>> >>>> >>> >> >> _______________________________________________ >> JBoss-user mailing list >> [EMAIL PROTECTED] >> https://lists.sourceforge.net/lists/listinfo/jboss-user >> > > > >_______________________________________________ >JBoss-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/jboss-user _____________________________________________________________ Get your FREE 6MB web-based e-mail @ 1800-Mail.com A FREE service by WIZIW.COM Powered by one of the fastest e-mail engines, EveryOneNet. UserID : YourName @ 1800-Mail.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
