Hacker News new | past | comments | ask | show | jobs | submit login

I personally like the idea of an application "unlocking" itself every time based on a hash of its binary. You would have to find all the places these hashes are computed -- if you missed even one place, you wouldn't be able to unlock the app.

Of course, such an app could still be cracked -- as could any app... because all you have to do is

1) purchase a legitimate copy and enter a fake name 2) take a snapshot of a working, unlocked app 3) remove all the code that cripples that state

The only way to really prevent cracking of apps that run locally is either challenge-response dongles or requiring people to provide a strongly verified identity in order to unlock the app (that way the cracker can't distribute the app without compromising the identity of the original buyer). And that is just too inconvenient for the actual buyers. Once again, security at the price of convenience.




> The only way to really prevent cracking of apps that run locally is either challenge-response dongles ...

This doesn't really work. If you have all of the functionality running on your machine but the dongle is there to authenticate, it can be cracked by ripping out the code that does the challenges. The proper way to secure an app using a dongle is to move some key piece of functionality out to hardware instead.


good point! You need some functionality though where the response can't just be memoized by the crack. What could it be?


Depends on the application, really. I can give you an example of where I've personally considered using this (ended up going with an alternative, however): my startup's product is a hotel front desk system and we have to encrypt room keys to work in the locks; pushing the crypto off onto an external device would make it considerably more difficult to pirate the software, as you'd have to reverse the algorithm and reimplement it in software. In the end, it didn't make sense for us, but it would've been pretty solid, as the odds of you having two identical cards is monumentally slim (and would only even be possible every couple of years).




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: