Re: [CAD_CAM_EDM_DRO] Languages

Larry Edington wrote:

> However, there is a SERIOUS problem with Delphi and C++ Builder
> everyone needs to be aware of. While it is a true compiler where
> Visual Basic is not a true compiler, Delphi / C++ Builder leaves
> a LOT of tokens in the executable that can easily be used by a
> hacker to understand the internals of your program.
> So let's say you wrote a program that you wanted to release as
> shareware that had a password or serial number function to unlock
> it to the full version. It is EXTREMELY easy to open your executable,
> find all of the proceedures, drop directly into the Assembly code
> for that password function and hack it.

That's why you should link against a crypto library and crypt those
functions. It is the only way to be sure. OpenSSL is not licensed GPL
either, but BSD-like, so you can link against it freely (i.e. usable
with commercial software). And by simply linking against it, you are
not violating any US export laws either.

Of course that means users must download and install OpenSSL on Windows
platforms. But that is only required when they try to unlock those
functions with their registration key.

And you don't have to use OpenSSL, there are a _lot_ of other programs
out there. I just mention OpenSSL because it is OSS and has a crapload
of ciphers/options to choose from.

> This fatal limitation is the reason I caution anyone developing
> commercial programs to NOT use one of these compilers to develop
> it. Unless you don't mind having your pants down in public.

Of course much of the software I write is OSS (open source software).
But even if I wrote commercial software, I believe the great majority of
people (at least in the US) are principled (and even the "piracy crying
wolf" SBA has the statistics to back me up). Maybe my view of the world
is skewed by me being a Libertarian. And even if they are not, there
are always lawyers to take care of them.

> If you have any secrets in your design, they won't be secrets
> anymore. If you insist on using one of these compilers, at
> least name your functions ( procedures in Pascal lingo )
> with some totally unrelated name to keep the hackers confused.

I don't know about you, but I don't see an "army of hackers"

> Don't call check_password, call setup_variables or some other
> unrelated name and don't do your verification check in that
> code! Do the verification check in some other unrelated
> function.

Or just crypt the freak'er with a nice two-key system.

> To further investigate this on your own. Search the net for
> a program called Dede.

Never used it.

> My advise for a commercial release is to bite the bullet and
> use MS VC++. I don't like it but it's more secure than the
> competition.

If you mean "security through obscurity," yes. If you mean "real
security," er, NO, have to disagree there.

> I just wish Microsoft would build the ease of use into
> VC++ that Delphi has. All this isn't an issue for most
> hobbiest programmers. It is a serious issue for programmers
> that make money from their work.

And then you should be using a real crypto solution.

-- TheBS

--
Bryan "TheBS" Smith mailto:b.j.smith@... chat:thebs413
Engineer AbsoluteValue Systems, Inc. http://www.linux-wlan.org
President SmithConcepts, Inc. http://www.SmithConcepts.com