Re: serial number (activation code)

Tech-Archive recommends: Fix windows errors by optimizing your registry

G.Doten <gdoten@xxxxxxxxx> wrote:
Well, there's a difference between "MAC addresses are designed to be
globally unique" and "default, hardware-assigned MAC addresses are
designed to be unique". I *suspect* that's what Peter was getting at,
given the rest of the post.

I don't. He clearly says "It is mostly true that the MAC address is
unique among default, manufacturer-assigned MAC addresses." Insisting on
"mostly true" when he knows darn well it is true. He's splitting hairs
here just to argue with me.

I really don't think so. I think the "mostly" is to cover vendor
mistakes.

This is where he started his random contradicting. He knows damn well
what I am saying, but must make me sound like I am stating some sort of
"error" when I say that. The built-in MAC address is without question
supposed to be unique. There is no error in that statement. Peter then
continues to sing that same song inferring that I can't read English.

I'd venture to suggest that you're the one implying that he's denying
that manufacturers are meant to assign unique addresses, despite there
being no such denial.

But there is that denial, and of the standard itself. Venture what you'd
like; it's a free Internet!

Again, I see no such denial. I think we'll have to agree to disagree
about this.

It's not an assumption! I've had to repeat that a number of times. And
he keeps refuting it.

It's an assumption that they *are* unique - i.e. that everyone follows
the standard without any errors creeping in. We've all agreed that
manufacturers *can* make errors, therefore it would be foolish to
believe that all the built-in addresses genuinely are unique.

No, it wouldn't. That's like saying it would be foolish to follow the
standard when dealing with these addresses. There must be many standards
that are misapplied, yet what they say can still be used. If a problem
with a particular implementation is encountered it can be worked-around,
especially in this specific case of built-in MAC addresses.

There's a difference between working round a problem and believing that
such a problem doesn't (or can't) exist.

Peter's wider point in that quote was that you still couldn't trust the
*reported* MAC address anyway though.

Sure you can! You're losing me.

The *reported* address can be set by the user, therefore it shouldn't
be trusted. I thought *that* bit was agreed on...

He knows damn well that everyone--including myself--agree that using a
MAC address for this purpose is a bad idea.

The difference being that you believe (as far as I can tell) it's
always realistic to retrieve a built-in MAC address reliably.

Yes, I do. I may easily be wrong.

Do you really think that resetting a customer's networking settings is
realistic as a viable way to do things? People kick up a fair amount of
fuss about installers requiring a reboot - but resetting network
settings is a whole different league, IMO.

Well, here's just one:

<quote>
Peter: That is the standard for how manufacturers assign the default MAC
address for a device. That is _not_ the standard for MAC address as
they are used in networks.
</quote>

I don't see where that says that he says there's no standard for built-
in MACs.

"That is _not_ the standard for MAC address as they are used in
networks." Wrong.

He's making the distinction between MAC addresses which are used in
real life and the MAC addresses which are built into the hardware. I
think that's a very valid distinction to make, given that users can
change the MAC addresses that are used. What's controversial about
that?

Finally coming around to agreeing there is a standard, and it that it
does dictate that built-in MAC addresses be unique ('It is true that "no
two manufacturers can possibly assign the same MAC address to two or
more devices" (to the extent that manufacturers don't screw up...they
do, you know)'), he then tries to say the standard is not used in
real-life networks.

And indeed it's not, because in real networks MAC addresses *are*
assigned - often enough to make it non-negligible, IMO.

We disagree on the meaning of non-negligible, I think.

Possibly.

Then it pretty much devolves into device drivers, and things like "WMI
does not provide a specific API to retrieve a MAC address" (it does, and
in a very standard way), and this beauty: 'The Windows API is a
standard. That doesn't mean that any code I implement using the Windows
API is using a "standardized way" to do something.' That's just precious.

Well, using the instructions you were suggesting, WMI isn't providing
an API to get at the original, built-in MAC address. Part of the
process you were suggesting is "just" clearing registry keys - a
critical part of system configuration. *That* certainly isn't a
"standardized way to get at the hardware's default MAC address". The
WMI part isn't the big problem - it's the preceding step.

No, I think that would work fine. Supposedly it does, anyway.

If any installer tries to screw around with my network settings, it
certainly doesn't count as "working fine" in my view.

It depends on whether that scheme actually *works*. I could ship a
"licensing scheme" that relied on an invalid user not creating a file
called licence.txt - I wouldn't say that's feasible as a real licensing
scheme.

Yes, it works; it is used by products.

Just because it's used doesn't mean it works though. ROT-13 can be
*used* as an "encryption" mechanism, but it doesn't *work* as an
encryption mechanism. It's not a viable, feasible, workable encryption
scheme. If a product shipped using it, that wouldn't make it any more
secure as a scheme.

<snip>

Regardless, using a MAC address is not only workable (using the normal
definition of the word)

We certainly haven't agreed on that. "Workable" presumably means that
something "works" doesn't it? For a copy protection scheme to work, it
must detect when someone fakes their MAC addresses. I don't have enough
experience of such products to know whether they manage that - but I
suspect they don't.

That's your definition of licensing scheme (and isn't a bad one).
Because a product ships with a "MAC address licensing scheme" that may
(or may not) let MAC addresses be spoofed does not mean it isn't a
legitimate licensing scheme. I would say that there is no licensing
scheme that is 100% accurate nor 100% secure. A product company may
decide that this hole may be perfectly acceptable for their needs.

This is what makes such a licensing scheme workable.

I think it depends on the amount of difficulty involved in cracking it.
If it takes 5 minutes without having to install any extra drivers etc,
that's pretty unworkable in my view - and that's what I suspect the
case is for most if not all such licensing schemes, unless they commit
the cardinal sin of tampering with my network settings. At that point
they may be more secure, but I suspect not 100%. The cost is too high
though, IMO.

Now, as with most holes, I suspect that it's not the case that
companies deem such a hole as acceptable so much as that they don't
understand the hole to start with.

Hang on a sec - I specifically spoke about one-time validation. Not
"every time I run it" validation, nor validation which dies when
hardware is changed. I certainly don't like either of those.

Well, we agree on that. I don't like any of those schemes either,
including the one-time validation ones. All of them are relatively easy
to crack.

There are pros and cons. At least there isn't usually too much pain for
legitimate owners, however - no network settings tampering, for example
;)

No. I just dispute whether it's reasonable to call that licensing
scheme "workable" if it doesn't provide any real protection.

I don't see how it can be denied that it is a workable technique, but
whatever. I never claimed, nor would I ever claim, it is a perfect
solution. But I would say it is perfectly acceptable for the needs of
some companies.

I would be interested to see what those companies would say if a
5-minute zero-expertise (beyond reading a web page) crack were to be
presented to them. Of course, without trying out one of these products
(and knowing a valid licence key for a given MAC address) it's hard to
show that - but I have strong suspicions that their products aren't as
safe as they expect them to be. When a risk is accepted unknowingly it
shouldn't count as making the scheme involved "workable" IMO.

Should they? Hey, it's their software...

True.

Which is why they can define how bullet-proof or not bullet-proof their
licensing scheme is.

Only if they understand the weaknesses of such a scheme.

You make an excellent proxy for Peter, BTW.

I just got fed up with the situation where I couldn't see that much
disagreement on what you actually believed, just on the words being
used.

--
Jon Skeet - <skeet@xxxxxxxxx>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too
.

Quantcast