PGP source code

[Ben Laurie]

Nexus wrote:
> 
> ----- Original Message -----
> From: "Richard Clayton" <richard@demon.net>
> To: <UKcrypto@chiark.greenend.org.uk>
> Sent: Tuesday, September 04, 2001 1:34 PM
> Subject: Re: PGP source code
> [snip]
> > There are many companies that would like to ship software that only ran
> > on your machine and no other. Reading MAC addresses from Ethernet cards
> > is as nothing to encrypting the binary for your particular CPU [or four]
> [snip]
> 
> The MAC address can be trivial to change dependant on your OS.

The MAC address the card generates in Ethernet frames is trivial to
change. The one burnt into the chip (which is what you'd read) is a
little trickier :-)


>   One high
> availability firewall product springs to mind as it _requires_ that you can
> duplicate MAC addresses across hosts for it to work.   CPU ID's or even any
> form of hardware based ID are subject to the same problems.   Whatever
> hardware device you use, the software will have to use an OS based API or
> some form of hardware abstraction layer to query the device for whatever ID
> you are after - you just have to insert your own shim into the OS and return
> the values you want returned.   The software is at the mercy of the OS and
> if you control the OS, software loses every time IMHO.   How many licence or
> unlock code routines use tortuous decryption or obfuscation routines only to
> end in a single conditional jump ?
> How many hardware "dongles" suffer from the same oversight ?   Have these
> people never heard of a Logic Analyser or a CRO ?

Of course they have - the question is whether the _buyer_ of the dongle
has heard of one!

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff