Protect commercial SW-based service?

>mblume wrote:
>> You could protect it with an USB dongle that must be present for 
>> the SW to run like e.g. http://wibu.de/start.php?lang=en 
>
>They are easily cracked with a disassembler. Just look for references to

>the parallel port and modify the dongle-check to always return TRUE.
>
>Jerry

Gee, you must have worked with some lousy dongles. Most work with a
challenge/handshake scheme that requires some serious determination to
crack.

Steve

su- [Thu, 25 Jun 2009 03:18:09 -0500]:
 >Remember in the 1980s when ...

There was no piratebay and 1000s of warez boards
accessible from anywhere, anytime, any can be
had in a few seconds?

haha, yeah, CP and its ilk WERE used

 > mostly...legitimate customers.

because why would someone with warez need to use
a..well, whatever those un-protect things were
called.  Anyway, the real problem is, this is not
something for "copy protection" or other DRM.  It's
something for a patent.  The more the merrier.  If
this is so revolutionary as the OP claims, anything
else is pretty damn stupid.  This is what patents
are for.  (Whoops ... software patents; if those fly.)

-- 
 40th Floor - Software  @  http://40th.com/
  PhantasmX3 - The finest sound in the world
   phantasm.40th.com   ppc   netbook

steveu wrote:
>> mblume wrote:
>>> You could protect it with an USB dongle that must be present for 
>>> the SW to run like e.g. http://wibu.de/start.php?lang=en 
>> They are easily cracked with a disassembler. Just look for references to
> 
>> the parallel port and modify the dongle-check to always return TRUE.
>>
>> Jerry
> 
> Gee, you must have worked with some lousy dongles. Most work with a
> challenge/handshake scheme that requires some serious determination to
> crack.

You just bypass all that and return whatever would be returned with the 
dongle present.

Jerry
-- 
Engineering is the art of making what you want from things you can get.
�����������������������������������������������������������������������

Put the critical math in an encrypted FPGA, and sell boards, which
plug into the PC.
Or build a black box.  Put in a processor and/or FPGA.  Many
microcontrollers will allow you to set bits that mean the JTAG can't
access memory.  Put the black box on the network or on USB.

On 25 Jun, 19:34, Dan <djthu...@gmail.com> wrote:
> Put the critical math in an encrypted FPGA, and sell boards, which
> plug into the PC.
> Or build a black box. &#4294967295;Put in a processor and/or FPGA. &#4294967295;Many
> microcontrollers will allow you to set bits that mean the JTAG can't
> access memory. &#4294967295;Put the black box on the network or on USB.

Interesting.

Do you have any particular devices in mind? Or are there
any SW emulators for these kinds of things out there?
Just for testing the programming and data logistics of
such a solution.

Rune

Rune Allnor <allnor@tele.ntnu.no> wrote:

< On 25 Jun, 19:34, Dan <djthu...@gmail.com> wrote:
<> Put the critical math in an encrypted FPGA, and sell boards, 
<> which plug into the PC.
<> Or build a black box. ?Put in a processor and/or FPGA. ?Many
<> microcontrollers will allow you to set bits that mean the JTAG can't
<> access memory. ?Put the black box on the network or on USB.
 
< Do you have any particular devices in mind? Or are there
< any SW emulators for these kinds of things out there?
< Just for testing the programming and data logistics of
< such a solution.

The software, both simulation and syntheses, is available
free from both Altera and Xilinx.  You need to learn Verilog
or VHDL, and think in terms of hardware logic design instead
of software.  

-- glen

Rune Allnor wrote:
> On 25 Jun, 05:08, glen herrmannsfeldt <g...@ugcs.caltech.edu> wrote:
>> Fred Marshall <fmarshallx@remove_the_x.acm.org> wrote:
>
>> < The other thing is that potential competitors will have different
>> ideas, < approaches and business models. How your technical ideas
>> fit into one or < more business models could be key. Are you selling
>> a processor? Are you < selling a processing service? etc. etc.
>
> The idea is to sell a *service*. I don't know how involved you
> used to in hands-on operational work, but this is about the
> cleaning of sonar data. There are certain types of noise that
> are problematic on certain types of sonars, and human operators
> spend vast amounts of time visually inspecting and manually
> removing the noise from the data.
>

Rune,

As you may know or recall, I was in the business - although not specifically 
in exploration signal processing.  Sonar yes.  Signal processing yes. 
Exploration yes.  Not a bad correlation overall.

If it's as you say it is then why not send "your guy" out onto the ship 
(and, by extension, "your guys" out onto the ships) with a "suitcase"? 
Maybe the profits would be lower but the benefits would still be substantial 
it appears.  Also might help in the obfuscation factor.

In the back of my mind is "there are no secrets".  Thus patents are 
important here. And, an exit strategy while the value is highest .. before 
leaks make it less so.  So, either it's a trade secret with a limited life 
or it's patented and, thus, protected for a likely much longer time.

With something like this I'm not sure YOU want to sell a service.  I should 
think that you'd want SOMEONE to sell the service and that you would benefit 
from it.  I can imagine a demo for an instrument company AND a potential 
customer or two of theirs:
You sit in a room with your gadget, take in the data and spit out the 
results for all to see.  They get hyped.  You sell the technology and drink 
Akvavit as the parade passes by.

I don't know, I may still have contacts with senior scientists at the 
exploration companies.  This sort if thing is worth a lot of money. 
Certainly what we did for them was!

We once did a demo of automatic line cancelling.  It went like this:

A small room with a signal generator set to run fm sweeps or some such thing 
that was rich in stable lines.  Generator into an amp and projector.
A human speaker with a microphone into the amp and projector as well.
A line canceller connected to the signal generator (as the noise reference) 
and fed into the speakers as well.
Phase 1: Generator off.  Speaker is heard.
Phase 2: Generator is on.  The room is filled with sound.
Phase 3: The speaker's mouth is seen to be moving but you can't hear / 
differentiate a word.
Phase 4: The line canceller is turned on and the speaker is heard 
perfectly.
No big surpise to us here of course but it was sure compelling to the 
audience!!

There are lots of ideas that should suffice.  Go for it!!!  :-)

Fred

>steveu wrote:
>>> mblume wrote:
>>>> You could protect it with an USB dongle that must be present for 
>>>> the SW to run like e.g. http://wibu.de/start.php?lang=en 
>>> They are easily cracked with a disassembler. Just look for references
to
>> 
>>> the parallel port and modify the dongle-check to always return TRUE.
>>>
>>> Jerry
>> 
>> Gee, you must have worked with some lousy dongles. Most work with a
>> challenge/handshake scheme that requires some serious determination to
>> crack.
>
>You just bypass all that and return whatever would be returned with the 
>dongle present.

Not with a challenge handshake system. The computer sends a different
random string to the dongle each time, and the dongle must return the
appropriate string after processing it with its own secret code. Replay
approaches are useless, and trying to work out the secret code is pretty
hard. That's what protection dongles have been doing for at least 15
years.

Steve

steveu wrote:


>>
>>You just bypass all that and return whatever would be returned with the 
>>dongle present.
> 
> 
> Not with a challenge handshake system. The computer sends a different
> random string to the dongle each time, and the dongle must return the
> appropriate string after processing it with its own secret code. Replay
> approaches are useless, and trying to work out the secret code is pretty
> hard. 

.....and this paranoidal conglomeration comes down to one JZ somewhere 
in the program that simply has to be patched to JNZ.

> That's what protection dongles have been doing for at least 15
> years.

If the dongle doesn't perform some not so obvious function essential for 
the program operation, it will be hacked as the matter of few hours.

VLV

>
>
>steveu wrote:
>
>
>>>
>>>You just bypass all that and return whatever would be returned with the

>>>dongle present.
>> 
>> 
>> Not with a challenge handshake system. The computer sends a different
>> random string to the dongle each time, and the dongle must return the
>> appropriate string after processing it with its own secret code.
Replay
>> approaches are useless, and trying to work out the secret code is
pretty
>> hard. 
>
>.....and this paranoidal conglomeration comes down to one JZ somewhere 
>in the program that simply has to be patched to JNZ.

Jerry was talking about fooling the software by emulating the dongle, and
most dongles make that hard. How hard it is to patch the software itself
depends on the application developer. It is largely beyond the dongle
maker's control. 

>> That's what protection dongles have been doing for at least 15
>> years.
>
>If the dongle doesn't perform some not so obvious function essential for

>the program operation, it will be hacked as the matter of few hours.

Most well know programs have a fairly complex interaction with the dongle,
which makes them somewhat hard to circumvent. For example, the encryption
engine in the dongle can be used to decrypt important sections of the
code.

In the end, most of these techniques fall into certain patterns, which the
people trying to crack them start to recognise. Most things end up cracked,
and the legitimate customer tends to be the one who is most
inconvenienced.

Steve