Re: Protecting code and data in Windows

• Previous message: upb: "Re: Re[5]: Protecting code and data in Windows"
• Maybe in reply to: Muzaffar Mahkamov: "Protecting code and data in Windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: secprog@securityfocus.com
Date: Sat, 11 Oct 2003 01:48:40 +0000

If the developers program under Free Software philosophy they musn't worry
about to protect their software. The Free Software has got more advantages
(for all people like developers, users, etc) and less disadvantages than
proprietary software.

Any software is crackeable, its obvius.

gian.
say no more.

>From: Jesper Anderson <jesper@pobox.com>
>To: secprog@securityfocus.com
>Subject: Re: Protecting code and data in Windows
>Date: Mon, 6 Oct 2003 16:22:49 +0200
>
>On Sat, Oct 04, 2003 at 01:18:08PM +0500, Muzaffar Mahkamov wrote:
> >
> > You're right. The biggest issue here is the debugger. So i wonder
> > whether Microsoft could re-implement their debugging privilege or
> > susbsystem, you name it. e.g. Windows could give the debug privilege
> > to the developer only for debugging his own software. Thus Microsoft
> > could win the support of many software companies because most of the
> > software is cracked using debuggers. I have no any practical
> > considerations yet but i think theoretically this is possible, because
> > Windows is not just a GUI but a [commercial] operating system that has
> > control over this.
>
>Nope. Can't be done. A software ICE debugger will be able to simply
>bypass all of that (essentially the OS runs under the debugger and is
>granted rights by the debugger - not the other way around). Even if
>that can be protected against (which would make the OS unusable in
>virtual systems like VMWare, if it was even possible to do), a
>hardware ICE debugger will still work.
>
>The only way to implement this is through the Trusted Computer
>Initiative (trusted by the VENDOR, not the OWNER), and that will in
>practice lock everyone but licensed developers out of developing
>*anything* for the OS. So, that is unlikely to happen. Plus, even that
>can be bypassed; although it's harder.
>
> > Many developers out there will not support this idea, neither do i,
> > but when it comes to developing really secure software there must be
> > some trade-off.
>
>Build an OS with this built in for that then. Start with, for example,
>OpenBSD; add the low level protection layer. Unfortunately it won't
>help against someone with physical access to the system, but it might
>be enough to completely block remote cracking (barring bugs in the
>implemementation).
>
>You'll quickly find that it's exactly the same protection that is
>already there in UNIX style OS'es, and available (even if not always
>used) in Windows OS'es; namely privileges and ACL.
>
>There is no way to block a determined attacker with physical access.
>None. It can't be done. It's possible to make it harder for them, and
>maybe, just maybe, make it so hard that it's not economically feasible
>to attack the system. And if you let the attacker run the software on
>his own system, there is no way to protect it *at all*. It's
>impossible.
>
>Jesper
>

_________________________________________________________________
¿Estás buscando un auto nuevo? http://www.yupimsn.com/autos/

• Previous message: upb: "Re: Re[5]: Protecting code and data in Windows"
• Maybe in reply to: Muzaffar Mahkamov: "Protecting code and data in Windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]