Re: Software Copy Protection - One More Time!
Hi Bob, this theme was covered many times. There is a very good paper from Aaron Ardiri on this subject - I don't know the reference by heart, but it should be easy to find. There are plenty of other discussions on this topic around and all kinds of argument were covered. Basically we all exist in this imperfect world and most of us stopped looking for an "unbreakable code" because given the existing possibilities nothing like this exist. Plus such trials increase the risk of getting angry the honest people. What proved to be working is relying on sincere users. They constitute not a negligible quantity. The others would not be paying probably anyway. Finally, when a program achieves the state that it is being cracked, then it must already be a popular program. And illegal users - if nothing else - at least contribute to the growth of the popularity. So it is... Best regards, Jan Slodicka - Original Message - From: "Bob Kodadek" <[EMAIL PROTECTED]> To: "Palm Developer Forum" <[EMAIL PROTECTED]> Sent: Monday, November 22, 2004 9:18 PM Subject: Software Copy Protection - One More Time! > Well, I have searched this forum, the PalmOne site, Appforge, and everything I can find on the internet, and no one has ever found a solution to protecting software apps on Palm devices. I've seen lots of explanations and whimsy, but nothing real. Simply put, if there is no ROM serial number, or unique (Read Only) ID stored in the hardware, then you are screwed and that's all there is to it. When copy protection is an absolute necessity for anyone developing programs in today's world, why doesn't Palm include a Flash Eprom or ROM chip with a unique serial number? Who wants to waste their time developing products for a device when the manufacturer doesn't care what happens to the developer. > > Now, anyone in the world can develop some scheme based on the HotSync user name, but that is completely worthless. It's not a matter of just a few people getting your program for free. Anyone can get one copy of your program with a working password and then upload the contents of the BackUp folder from the Palm Desktop for that username, onto the internet and the whole world has your program the next day. All they need to do is supply that user name. They could buy Palms on Ebay for $20.00 and resell the entire Palm with your program and that user name. And, they could sell hundreds and hundreds of them and no one would be the wiser. Don't you think that your application is worth putting onto a $20.00 Palm just to have it? I'll bet you do! The developer is the one who suffers here. No one else. It doesn't hurt the manufacturer of the Palm device one bit. In fact, it helps to sell more Palms because there is plentiful, un-protected software available for free. > > There are no dongles available for a Palm device, no copy proctection schemes that work. You cannot hide anything in the programs's Preferences, because a HotSync creates a database file of those preferences and stores it the the BackUp folder! > > I've been programming for about 20 years now, started in machine language and have seen and done it all since then. I began working with PalmOS last year and feel that, unless you are doing it for a hobby, it is a wasted effort. You can have all the hash routines and randomly generated serial numbers that you want. When you can simply HotSync the files located in the BackUp folder over to another machine with the same user name, nothing that you do can work. > > So, my real question is, why isn't everyone demanding that the hardware manufacturer incorporates a unique serial number, or unique ID of some type, that is Read Only on every device? One extra 25 cent chip on every device, that's all it would take. > > Bob > -- > For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/ -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
Hi. Concerning Aaron's white paper on this topic, following is a post that I wrote in reply to the "Lock beamin" thread (which began on 2004-10-29 at 05:10:00). The following has instructions on how to obtain the white paper from Palmsource's Knowledge Base. Regards, Ed. -- my "Lock beaming" reply post follows --- Hi. The Palm developers' Knowledge Base has a pretty good white paper from March 2003, on copy-potection. Depending on how bullet-proof you want to make it, it can get pretty complicated. I guess it depends on the worth of your software. By the way, on "unique ID" information, keep in mind that the Palm serial number is only available to software on PDAs that have FLASH ROM. The white paper can be downloaded as follows: http://kb.palmsource.com/ Under "Answer Type", select "Whitepaper". Under "Search Text", type "protection". Click on the "Search" button. In the resulting list, select "Platform Software Protection" Near the bottom of the resulting page are .sit (for MAC) and .zip (for PC) files that contain the white paper. It has some interesting ideas. Regards, Ed. -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
Bob Kodadek wrote: > Now, anyone in the world can develop some scheme based on the HotSync > user name, but that is completely worthless. It's not a matter of just > a few people getting your program for free. Anyone can get one copy of > your program with a working password and then upload the contents of the > BackUp folder from the Palm Desktop for that username, onto the internet > and the whole world has your program the next day. All they need to do > is supply that user name. Then all the rest of their licensed software (that was tied to another name) would no longer work. People don't want to go changing their hotsync user name to something different for every different app they run and do it every time they run an app. In fact, most people probably don't know how. > They could buy Palms on Ebay for $20.00 and resell the entire Palm with > your program and that user name. And, they could sell hundreds and > hundreds of them and no one would be the wiser. Don't you think that > your application is worth putting onto a $20.00 Palm just to have it? Sure, they could do that. But if you have 5 applications that you like to use regularly, how convenient is it to carry around 5 Palm devices with you all the time? It's much more convenient to just pay the license fees properly and carry around one device with all the software on it. In other words, no user is really going to spend $20.00 (plus shipping) on some old used Palm device when they could just buy your software for $20 or $30 or $50. Actually, both these schemes that you describe could in fact be done, and maybe someone somewhere actually does them. But that does not change the fact that there are people out there making a fair amount of money selling Palm software. Yes, piracy can happen, but there is not a foolproof way to stop it. (Even if there were a hardware serial number, it's easy enough to get a disassembler, find the code that checks it, and put a JMP instruction at the beginning of that block of code to bypass it. Doing that is certainly much easier than buying a large quantity of devices on eBay.) The fact is, from a business point of view, piracy is a reality, but it's only a small percentage if you take some precautions. In fact, I think you have to ask yourself if you lock the license to the hardware, will the support costs of issuing new keys (when someone upgrades to a newer device) outweigh the advantage of reduced piracy? It might. - Logan -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
Hi. Actually, Logan, I do remember once seeing a Palm application to store a number of user names in a data-base, and allow the user to select and change the registered user name. (I forget where I came across it. I did not download it!) The idea was to use it for just what Bob describes; i.e. to use a program registered for someone else's user name. So, just run the "switch-the-name" application before running the registered application. When finished, just "switch-the-name" back again to run your own registered applications. (I don't recall the actual program name.) The lengths some people will go to ... One other idea that may, at least, restrict the number of palm devices that the application could run on is to "register" it against the Palm OS version, the manufacturer and model number of the device. (If memory serves, these are all available via APIs.) This still is not bullet-proof becuase the app could still run on another device of the same make, model and OS version. However, these are parameters that can not be changed, so the registered app cannot run on a different make/model/OS-version. Combine this with the user name and, if available, the unique ID (usually the serial number - for Palms with FLASH ROM), and it becomes much more difficult to pirate the software (but still not completely impossible). Aaron's white paper had some other good ideas. Regards, Ed. -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
That would all be true for a program that sells for $20, $30, or $50. I was referring to commercial software that costs much more and would be in big demand. Would it be worth giving out new license keys? Absolutely! Just imagine waking up one morning to find your program available for free download on the internet to anyone and everyone who wants it. Once that happens, it's over. You aren't selling that program again. -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
Bob wrote: > Just imagine waking up one morning to find your program available for > free download on the internet to anyone and everyone who wants it. > Once that happens, it's over. You aren't selling that program again. True. But, short of using some sort of encryption (with a separate key in each device) and a kernel that makes it impossible for the user to read the decrypted code, it isn't possible to prevent that. You can always just disassemble, reverse engineer, and patch the executable to make an unlocked version. So, to *really* solve the problem would require a fundamental change to the way devices are made and the way the OS executes programs. Anything else is just a measure that will increase the hassle of pirating. However, you're right that the more expensive the program, the greater the motivation to pirate it. And the Palm model doesn't work as well for expensive software as it does for $10 or $20 apps. - Logan -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
Hi Logan, In a nutshell then, I suppose it would be wise to have a different version of the software for each specific device and try to tie that version to the device. In effect, using the OS version and other information. Then, the protection would have to be circumvented for each device. That makes a lot more sense to me. While it would be more work, it could be worth it in the long run. Bob -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
Bob, >In a nutshell then, I suppose it would be wise to have a different >version of the software for each specific device and try to tie >that version to the device. Why not just include the company/device/HAL id etc as part of the encryption or hash process on the registration code? While it may be arguably more secure by using those IDs as part of a decryption of a code resource, maintaining and distributing those versions may not justify the extra hassles. YMMV Doug -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
Douglas Handy wrote: >>In a nutshell then, I suppose it would be wise to have a different >>version of the software for each specific device and try to tie >>that version to the device. > Why not just include the company/device/HAL id etc as part of the encryption > or > hash process on the registration code? While it may be arguably more secure > by > using those IDs as part of a decryption of a code resource, maintaining and > distributing those versions may not justify the extra hassles. I would love if my competitors would do something like this. It would give me an advantage, since users don't like the hassle of dealing with stuff like that. - Logan -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
There is a unique serial number on each SD card. That could be used as part of the installation verification for high value software. If you're really involved with high budget software, join the SD association and learn about how to utilize the SD security facilities. All of the system identifiers can be spoofed by a hack. System calls that ask for security information highlight the code involved in security. If you want to turn crackers into customers, how about the following game. Offer a prize for the first contestant to crack your security. In order to participate, a contestant has to either purchase a legitimate copy, or wait for someone else to win the prize. -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
From: "Bob Kodadek" <[EMAIL PROTECTED]> > I've been programming for about 20 years now, started in > machine language and have seen and done it all since then. > I began working with PalmOS last year and feel that, unless > you are doing it for a hobby, it is a wasted effort. > So how do you protect your desktop software? I wasn't aware that desktop hardware included the unique serial number that you're asking PDA's to include. I've been programming a similar number of years and I'm surprised to hear you present this as a PDA-specific problem. Hardware piracy is a *computer* problem that hasn't been solved on other platforms in spite of serious amounts of money being thrown at the problem. In spite of this a large number of companies manage to be profitable. You approach PDA software security the same way you'd approach the security of any other app - provide good value for money, make it easy to buy the app, provide advantages for software registration, release regular upgrades to discourage hacking, etc, etc. >From memory, desktop protection uses hardware id's available from some hardware components (drive, NIC, etc. With modern PDA's that include Bluetooth, wireless networking and the like I would have thought that something similar was possible. > One extra 25 cent chip on every device, that's all it would > take. > >From this can we assume that your '...done it all since then" doesn't include hardware engineering or hardware cost assessment? :-) There's a lot more to hardware manufacture than the cost of the chips. Chris Tutty -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
From: "Bob" <[EMAIL PROTECTED]> > Just imagine waking up one morning to find your program > available for free download on the internet to anyone and > everyone who wants it. Once that happens, it's over. You > aren't selling that program again. > -- Then someone had better tell Microsoft they're out of business because most of what they sell is downloadable in cracked form. Just because a hack is available doesn't stop honest people from buying your software. I've also worked for a large number of companies that consider use of pirated software to be a reason to fire an employee. Sure it's a problem, but to say that it prevents Palm OS software development being anything but a hobby is ridiculous. Chris Tutty -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
> So, my real question is, why isn't everyone demanding that the > hardware manufacturer incorporates a unique serial number, or > unique ID of some type, that is Read Only on every device? > One extra 25 cent chip on every device, that's all it would take. i've ignored the rest of this thread - mainly because everyone else has brought up the relevant issues. but no-one really talked about a reply to this original question. since i wrote the whitepaper on this, here is the url in the knowledgebase http://kb.palmsource.com/cgi-bin/palmsource.cfg/php/enduser/std_adp.php?p_faqid=131 the bottom line is this. if there was a hardware "lock", it has to be checked somewhere in software; and, modifying the software is quite an easy task. at some point, there is a check, to verify the hardware lock against the registration. a simple negation of this check will normally mean it is no longer unregistered. in my paper i outlined ideas like doing encyrption and checksum checks - but, eventually in order to execute the code; it must be in pure assembly format. with the tools available on the palm these days, it is quite easy to dump a memory chunk (ie: the code decrypted) and then reverse engineer the encryption. most systems like this have symmetric encryption techniques. (need to get back to the original data). the only truely proven "protection" is what is implemented on the tapwave zodiac (which, i was also involved in). the concept there is that the zodiac requires that the application have a digitial signature in order to use its API's. the digital signature can be locked to a specific person, an SD card or whatever. its built into the rom, so modifying the application doesn't help. http://www.mobilewizardry.com/references/tapwave.php i think you get the idea tho. DRM is a tricky system especially when you have to implement it all in software; we have had a few ideas that have been quite successful to prevent the spread of piracy - but, they all get broken eventually. one project i am involved in (www.drcompanion.com) locks the contents of the software to the SD card. so, copying it between cards isn't possible (of course it is, but, very painstaking). faking the SD card rom identifier is quite nasty on palmos :) its much easier to fake the hotsync username or the rom id (flash rom) - and, i even wrote an application to do this on an app-by-app basis: http://www.ardiri.com/palm/hackme/ http://www.ardiri.com/index.php?redir=palm&cat=hackme&subcat=scrnshot i think someone else mentioned it here in one of the followup threads. of course, |HaCkMe| exists for OS5 for my own personal use :) you would be surprised how many emails i get per day asking for a working OS5 version :) also, look how simple it was to use :) --- Aaron Ardiri (Skype:: callto://ardiri) PalmOS Certified Developer [EMAIL PROTECTED] http://www.mobilewizardry.com/members/aaron_ardiri.php -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
I've said it before here, locks only keep honest people out. The people that will steal your software will do so no matter what kind of protection you try. They are also unlikely to purchase it no matter the cost. Breaking protection is an end onto itself. The smallest amount or least obtrusive protection you can engineer into your product will serve its purpose. Too much and you risk upsetting your true customers. - Original Message - From: "Aaron Ardiri" <[EMAIL PROTECTED]> To: "Palm Developer Forum" <[EMAIL PROTECTED]> Sent: Tuesday, November 23, 2004 5:27 AM Subject: Re: Software Copy Protection - One More Time! > > So, my real question is, why isn't everyone demanding that the > > hardware manufacturer incorporates a unique serial number, or > > unique ID of some type, that is Read Only on every device? > > One extra 25 cent chip on every device, that's all it would take. > > i've ignored the rest of this thread - mainly because everyone else > has brought up the relevant issues. but no-one really talked about > a reply to this original question. > -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
That would be great if every device used a memory card, but they don't. Limiting the program to a memory card is the same as limiting the program to specific device. A device that has a ROM Serial Number is a more better solution. But, I'm glad to see that there is someone on here who understands the need for a solution. That's a start anyway. -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
RE: Software Copy Protection - One More Time!
> But, I'm glad to see that there is someone on here who understands the need for a solution. I personally take exception to that statement (a little bit) :) We *ALL* understand the need for a solution, and I don't see that a serial numbered device is a final solution at all. As has already been said, whatever code you write to check the serial number can be disassembled, removed and therefore usurped by a determined hacker/cracker. We personally abandoned registration codes and locked licenses in our software some years ago, we have around 40,000 users worldwide who were causing our Helpdesk an ongoing nightmare when they changed versions of windows or moved to another PC etc., and thus required new codes. It was a question of support costs vs lost revenue, we don't think we've lost too much revenue (though there's no acid figure), but we certainly have a more relaxed Helpdesk that is considerably cheaper to run. Regards John Sutton -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
There can be no security, when the files can merely be copied from the backup folder to any machine using the same UserName. That's about as lame as it gets. Do you think it takes a hacker to do that? I'm not going to debate my expertise as a programmer with you, nor my experience in the PC world. I can't argue with ignorance. -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
My last reply was for Chris, not you John. Thanks for your input. Bob -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
At 09:16 AM 11/23/2004, you wrote: That would be great if every device used a memory card, but they don't. Limiting the program to a memory card is the same as limiting the program to specific device. A device that has a ROM Serial Number is a more better solution. But, I'm glad to see that there is someone on here who understands the need for a solution. That's a start anyway. If you're selling a very, expensive commercial application, I don't see the problem in limiting it to devices that support SD cards or that have flash-embedded serial numbers. The expense of upgrading to a device with a slot or Flash will be small compared to the cost of your software. -- Ben Combee, Technical Lead, Developer Services, PalmSource, Inc. "Combee on Palm OS" weblog: http://palmos.combee.net/ Developer Fourm Archives: http://news.palmos.com/read/all_forums/ -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
On Mon, Nov 22, 2004 at 08:18:33PM -, Bob Kodadek wrote: > Well, I have searched this forum, the PalmOne site, Appforge, and > everything I can find on the internet, and no one has ever found a > solution to protecting software apps on Palm devices. I've seen lots > of explanations and whimsy, but nothing real. Simply put, if there is > no ROM serial number, or unique (Read Only) ID stored in the hardware, > then you are screwed and that's all there is to it. You seem to be operating under a severely misguided assumption that a ROM serial number will somehow help you protect your software. It won't. -- Dave Carrigan Seattle, WA, USA [EMAIL PROTECTED] | http://www.rudedog.org/ | ICQ:161669680 UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL Dave is currently listening to Pop Will Eat Itself - England's Finest (The Looks or The Lifestyle) -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
On Mon, Nov 22, 2004 at 11:00:51PM -, Bob wrote: > Just imagine waking up one morning to find your program available for > free download on the internet to anyone and everyone who wants it. > Once that happens, it's over. You aren't selling that program again. I can find any number of copies of Windows XP on the Internet free for the download. The same applies to any version of Microsoft's software, all the way back to DOS 1.0. Yet Microsoft still seems to be making money. -- Dave Carrigan Seattle, WA, USA [EMAIL PROTECTED] | http://www.rudedog.org/ | ICQ:161669680 UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL Dave is currently listening to Pop Will Eat Itself - Eat Me Drink Me Love Me Kill Me (The Looks or The Lifestyle) -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
Bob wrote: > Limiting the program to a memory card is the same as limiting the program > to specific device. A device that has a ROM Serial Number is a more > better solution. In a purely practical sense, a single solution like a ROM serial number is NOT a good solution. The reason is, in a 68k app at least, the only way to access a serial number is going to be through a system call, and that means a system trap. And THAT means that since it's the 68000, it's going to have to be an A-line instruction. (Traps are missing opcodes, and Motorola reserved the opcodes 0xA000 through 0xAFFF for use as system traps or whatever else the operating system wants them to be.) So, for example, FrmDrawForm() is 0xA171. Let's say for the sake of discussion that the hypothetical call SysGetHwSerialNum() is trap number 0xA833. And let's say that suddenly everyone modifies all their Palm apps to use this new "secure" method of locking the software to the device. Well, what have we accomplished? Now it's trivially easy to locate the registration logic within the machine language of an app! All you do is search for A833 within its code resources. And the worst part is, if everyone did move to hardware serial numbers, they'd all be using the SAME method of protecting their software. You could practically write a program that would AUTOMATICALLY crack all Palm software! The situation right now is a bit different: everyone uses a slightly different method to protect their software. So there is no one hex code that you can search for in order to locate the registration logic. You have to start all over again to figure it out for every separate app. In this sense, diversity and variation are good! - Logan -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
Bob wrote: That would all be true for a program that sells for $20, $30, or $50. I was referring to commercial software that costs much more and would be in big demand. Would it be worth giving out new license keys? Absolutely! Just imagine waking up one morning to find your program available for free download on the internet to anyone and everyone who wants it. Once that happens, it's over. You aren't selling that program again. Don't SD cards have a unique ID? Just deploy your app on an SD card and tie it to that serial -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
Re: Software Copy Protection - One More Time!
Subject: Re: Software Copy Protection - One More Time! From: "Bob" <[EMAIL PROTECTED]> Date: Tue, 23 Nov 2004 15:55:23 - There can be no security, when the files can merely be copied from the backup folder to any machine using the same UserName. That's about as lame as it gets. Do you think it takes a hacker to do that? I'm not going to debate my expertise as a programmer with you, nor my experience in the PC world. I can't argue with ignorance. -- My last reply was for Chris, not you John. Thanks for your input. When people give you good advice based on years of experience of trying different solutions to the problem of software piracy, and you don't like some of the advice you are getting, then don't call it ignorance. It isn't. But one of the big factors is the cost of the software and the environment. Copy protection schemes cause aggravation, and on typical Palm OS software in the $5 to $30 range this aggravation results in support calls, which are relatively expensive to handle and hammer away at your profitability. If you are selling software which costs hundreds of dollars per copy then the relative cost of the support calls caused by copy protection is much smaller and won't significantly affect your profitability. You also won't have much volume, which means that you don't need to worry about a large number of employees for your support desk. And with high cost software you can justify the creation of unique ID's for each user and other higher protection tricks. Also on PC's you have some additional tricks available (such as checking for original install CD and use of dongles, etc). While all can be cracked, it ups the ante on the cracking game. So take the advice, look at the price point of your software, and look at the environment you run it in. Then choose the optimal solution, which will have some copy protection. Roger Stringer Marietta Systems, Inc. (www.rf-tp.com) -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/