Re: Musings on serial number security

To:	RB NUG <realbasic-nug at lists dot realsoftware dot com>
Subject:	Re: Musings on serial number security
From:	Maury McCown <maury at mac dot com>
Date:	Tue, 02 Dec 2003 19:15:18 -0600

On 12/2/03 5:59 PM, adam uttered the following:

> BUT... if you include a blacklist of leaked serials in your app for
> comparison, be sure to encrypt them somehow also, so that they can't be
> disabled. For example, if someone leaks a serial number "WXYZ" to
> version 2.0 of your program, DON'T add something like this to version
> 2.1:
> 
> if serial="WXYZ" then
> alert("This serial is stolen!")
> end if
> 
> If you do something like this, the string literal "WXYZ" will be easy
> to find with a Hex Editor, and someone can just as easily change it to
> "HAHA" so that your v2.1 application accepts "WXYZ" again. Ditto for
> simple integer literals. This isn't a theoretical issue either, a very
> popular RB developer has this exact security hole in the current
> version of their product.
> 
> The simplest thing to do is change the format of your serial number
> with each major release of the application, so that is keyed to a very
> specific version.  Obfuscated serial number validation code is also
> desirable so that it takes much longer to reverse engineer. The more
> obscure the better!

That's not exactly what I meant, but you bring up a good point. I generate
codes based on the registered user's name (and other stuff) so that each
code is tied, via my algorithm, to a name. Sending out a general reg code is
a poor method in my opinion.

As to changing the reg number for each major release, that's a big no-no in
my book -- especially when it comes to shareware. This would mean that all
users would have to be issued a new number for each major release, ala
Adobe, and that would plain ol' be a pain for me and the user. Now, if I
didn't update my apps but once a year, sure -- but I update as needed and I
have a strong "once registered, always registered" policy. =)

Maury
===========================================
RAILhead Design: ³Giving the planet a makeover²
news | icons | desktops | fonts | software | more
< http://www.railheaddesign.com/ >
===========================================



 - - -
Unsubscribe or switch delivery mode:
<http://support.realsoftware.com/listmanager/>

Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>

<Prev in Thread]	Current Thread	[Next in Thread>
Musings on serial number security, Dave Addey Re: Musings on serial number security, Maury McCown Re: Musings on serial number security, Dave Addey Re: Musings on serial number security, Charles Yeomans Re: Musings on serial number security, adam Re: Musings on serial number security, rogerhoward Re: Musings on serial number security, Aaron Bratcher Re: Musings on serial number security, Aaron Bratcher Re: Musings on serial number security, Maury McCown <= Re: Musings on serial number security, Thomas Reed Re: Musings on serial number security, Adam Re: Musings on serial number security, Maury McCown Re: Musings on serial number security, Adam Re: Musings on serial number security, Thomas Reed Re: Musings on serial number security, James Lay Re: Musings on serial number security, effectzero Re: Musings on serial number security, Charles Yeomans Re: Musings on serial number security, Thomas Reed Re: Musings on serial number security, Richard Altenburg

Previous by Date:	Re: Musings on serial number security, rogerhoward
Next by Date:	Re: Musings on serial number security, Thomas Reed
Previous by Thread:	Re: Musings on serial number security, Aaron Bratcher
Next by Thread:	Re: Musings on serial number security, Thomas Reed
Indexes:	[Date] [Thread] [Top] [All Lists]