15

It's a topic that interests everyone. How can I protect my software against stealing, hacking, reverse engineering?

I was thinking: Do my best to protect the program for reverse engineering. Then people will crack it and seed it with torrents. Then I download my own cracked software with a torrent with my own torrent-software. My own torrent-software has then to seed incorrect data (bytes). Of course it has to seed critical bytes.

So people who want to steal my software download my wrong bytes. Just those bytes that are important to startup, saving and loading data, etc... So if the stealer download from me (and seed it later) the stealer can't do anything with it, because it is broken.

Is this idea relevant? Maybe, good torrent-clients check hashes from more peers to check if the packages (containing my broken bytes) I want to seed are correct or not?

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
Martijn Courteaux
  • 335
  • 2
  • 13
  • 3
    I've read the RIAA has already done this for music files. –  Jun 09 '10 at 15:17
  • 27
    you are wasting your time, you aren't losing any money from thieves, by definition they would never buy your software to begin with. –  Jun 09 '10 at 15:20
  • It would fail for the reason I give below. What I believe the RIAA (or rather MediaSentry) did was seed random data with the filename of popular music (Madonna?) - hiding the signal amongst the noise. – graham.reeds Jun 09 '10 at 15:20
  • 28
    Discarding the fact that it wouldn't work due to CRC checks etc, I'd suggest that it might be a bad idea for another reason. The people who steal the software probably won't pay for it anyway, but if it doesn't work they might tell their friends or bosses that your software is bad quality so that they don't buy it either. – ho1 Jun 09 '10 at 15:25
  • @fuzzy: While it's not as definite as you make it seem, it's true that such people would be much more likely to not purchase the software in the first place. –  Jun 09 '10 at 15:30
  • 9
    In most cases, a pirated copy is not a lost sale. –  Jun 09 '10 at 15:58
  • 13
    Whatever you do, make sure you don't make it hard for paying customers to use your software – user6863 Jun 09 '10 at 17:00
  • I would suggest putting in the time to make sure that the software won't easily work when copied. – Paul Nathan Jun 09 '10 at 17:11
  • 2
    Chances are you are going about this all wrong. First, is your software really worth pirating? If not, then why are you worried? If it is not already on Bit-Torrent, it probably isn't worth pirating. If it is, you're too late. – Warren P Jun 09 '10 at 17:23
  • 2
    See the Streisand effect(http://en.wikipedia.org/wiki/Streisand_effect). Being a dick about your software will engender more ill will and bad publicity than your lost sales will ever be worth. – Fake Name Jun 11 '10 at 00:38

6 Answers6

43

Their torrent app (the pirates) will simply discard the bytes you are seeding as bad due to CRC checks. Then you will get banned by that IP for being a repeat offender.

graham.reeds
  • 290
  • 7
  • 17
  • What CRC does bit torrent use? Could a garbage packet be generated that had the correct CRC? There are apps to do this for MD5 and I'm sure a true CRC would be just as easy. – deft_code Jun 09 '10 at 16:10
  • 17
    It could be generated, *in theory*; however, the BitTorrent protocol uses SHA-1 hashing; it is harder to find hash collisions (which is what we're after, here) in SHA-1 than in MD5. Practically, it's not feasible at present. – Piskvor left the building Jun 09 '10 at 16:21
  • @Caspin In essence, no. It would take at least a week under ideal, conditions, a really fast computer (super computer), and a team of cryptographers to break the CRC hash for a single file. Good luck with that. – Evan Plaice Jun 15 '10 at 09:15
10

Q. Can I protect my software by sending wrong bytes?
A. No, it can be hacked around anyway, especially if someone gets their hands on a legit copy.

Q. How can I protect my software against stealing, hacking, reverse engineering?
A. Sell it for a fair price, this will undermine attempts to hack.

  • See http://www.plagiarismtoday.com/2010/05/26/reflections-on-the-humble-indie-bundle-piracy/ for point 2. Pirates pirate. Better software won't help you. – Paul Nathan Jun 09 '10 at 17:07
  • 1
    @Paul: There are a lot of people who don't pirate. There are many people who refuse to pay. But there are also some people who are more willing to pay for something if it's offered for a lower price than a higher one. Those are the people who would be affected by a lower price. (Though you wouldn't want to price it too low, I suppose.) –  Jun 09 '10 at 19:21
8

I'd suggest to approach the problem from the other end. Embed a unique identification code into each copy of your software that you give to your clients. In case somebody is seeding, you can at least identify who did it and take legal actions.

  • But they will do reverse engineering and will change their unique code. So they become anonymous, no? – Martijn Courteaux Jun 09 '10 at 15:23
  • 5
    Only if they can find it. –  Jun 09 '10 at 15:23
  • INDEED!! Thanks, just put it somewhere on a hidden place in my application. But will the C++ compiler know that the variable is unused and remove it? – Martijn Courteaux Jun 09 '10 at 15:25
  • 2
    @Developer Art: If they have access to multiple copies of the software, they may be able to do binary comparisons to figure out how exactly the copies differ from each other and where they differ, so unless you set up a way for the parts of the identifier to be obfuscated in a random fashion it might not be that hard to figure it out. –  Jun 09 '10 at 15:27
  • @JAB: Indeed, also true... *I hate computers...* – Martijn Courteaux Jun 09 '10 at 15:28
  • 1
    @Martijn - add the keyword 'volatile' to the variable. This tells the compiler, among other things, to not optimize-out the unused variable. – Robert Deml Jun 09 '10 at 15:28
  • 2
    It's not done with a single variable. You could spread the information around all modules of your app, pretending as though you're really using it for some purposes. It's somewhat art how to make it unobtrusive to prying eyes. Maybe ask a separate question about techniques to achieve that. Would be interesting. –  Jun 09 '10 at 15:28
  • 19
    You can check different builds for whether the mark is optimized away or no. But so can the users! In fact, no professional cracker uploads stuff without first obtaining several copies and comparing them, because they want to protect their sources. In the end, you are fighting against windmills; much better to spend the effort on writing great software, which encourages users to pay you, than on stopying the copying, which just encourages them to try harder not to pay. –  Jun 09 '10 at 15:30
  • 2
    You're fighting an uphill battle. Whatever your encryption/password scheme is, chances are, the cracker organisations have seen it and know how to break it. They have years of experience and much better programmers than you do. Sorry. – Evan Plaice Jun 15 '10 at 09:18
8

Does DRM work? No. Does setting up bad BitTorrent/EDonkey2000 stuff work? No. Does anyone care about pirating your little application? No. Nobody has ever heard of it.

Warren P
  • 2,931
  • 8
  • 37
  • 53
  • 1
    "Nobody has ever heard of it." This is a good point... –  Jun 09 '10 at 18:06
  • If someone is willing to pirate it, then it is worth protecting. –  Jun 09 '10 at 18:39
  • 2
    @Ben313: a better phrase would be "If someone is willing to buy it, then it is worth protecting." –  Jun 09 '10 at 19:23
  • 1
    Unless you wrote something better than AutoCad, MS Word, etc, your software is even less worth protecting than the other people (Microsoft, AutoDesk) who have 100 smarter people working for them, than you (a single developer) have, and still they have not built a DRM that works. – Warren P Jun 10 '10 at 15:42
4

bittorent and most other good p2p software protects itself from such kind manipulation by using file hashes, e.g. md5.

cody
  • 569
  • 2
  • 6
  • 15
  • 1
    The hashing algorithm is SHA-1, according to Wikipedia: http://en.wikipedia.org/wiki/BitTorrent_(protocol)#Creating_and_publishing_torrents - slightly safer than MD5 – Piskvor left the building Jun 09 '10 at 16:23
2

t's a topic that everyone interests. How can I protect my software against stealing, hacking, reverse engineering?

The only way (I can think of) to do it is to run software completely on your server, and have no useful code in client application - because if you can't get it, you can't (easily) crack it. This way you'll have control over accounts and you'll know who uses your application. Users won't be happy, though. And if you'll only run copy-protection-related code on your server, someone will hack it by writing server emulator OR they'll identify code and bypass protection completely. As it happened with new Ubisoft copy-protection scheme.

Keeping software on server isn't completely bulletproof. Instead of cracking the software, someone will start attacking your server in order to break in and to get software. And there is always "social engineering" security holes. "keep everything on server" will work best if your software cannot be run on normal machine (i.e. it requires supercomputer or computer cluster). A good example of this is EVE Online - unlike WOW and Lineage there are no server emulators I know of, because it requires computer cluster to run the server.

My own torrent-software has then to seed incorrect data (bytes). Of course it has to seed critical bytes.

  1. If you'll try to "hijack" existing torrent, any sane client will report CRC errors and ignore your client. All p2p software uses hashes.
  2. If you upload "wrong" torrent, another user will report your torrent as fake, so no one will download it.

stealer

"Pirate", because it is called copyright infringement.

SigTerm
  • 153
  • 6