Re: How can I identify a system uniquely using MFC code

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

"Joseph M. Newcomer" <newcomer@xxxxxxxxxxxx> wrote in message
news:gnl192hh5jcadri296lpgfnksgt4nvtj3c@xxxxxxxxxx
| If my laptop is stolen, there is no security issue, because I make it a
point to never
| keep proprietary data on my laptop. I carry a little external hard drive,
which I keep in
| my pocket, and that's where I keep proprietary information; it is only
plugged into the
| laptop if I'm using the laptop. Otherwise, the two are kept separate.

Fine - somebody steals your drive. Now what?? Smaller than a laptop, I'll
bet.
I use AES-256 in CBC mode and a 4GB USB as backup on my key chain.
Passphrase in head and nowhere else.

| The Internet solution doesn't help if you're trying to use a product at
35,000 feet over
| Nebraska. At least not until airlines start supporting reasonbly-priced
broadband (and I
| hope they don't because of VoIP).

You're going to install software at 35,00 feet? Can't it wait? Maybe you
should do that before you take off. Or - "oops I forgot my dongle, guess I
can't do your books today".

Or how about: "Dog ate my dongle, you'll have to wait for him to shit"...

All symptoms of a poorly designed cryptosystem and ample ignorance.

| The official definition of "Copy Protection" is "A class of methods for
preventing
| incompetent pirates from stealing software and legitimate customers from
using it.
| Considered silly."
|
| Don't worry--NGSCB will save us all!
|
| (and if you believe that the Next Generation Secure Computing Base will
actually make
| systems more secure, you are almost certainly interested in my wonderful
beachfront
| property in New Orleans. Well, it isn't beachfront YET, but it will be
after the next
| hurricane. Buy now!)

That's OK - I already have a large water park south of Florida - keeps
getting alien trespassers in it.

|
| The TCB (Trusted Computing Base) does solve some important problems in
computer security,
| but it will NOT make our computers safer, or prevent viruses, or any
number of other myths
| I've heard people claim will be true (alas, some of them even work for
companies involved
| in trusted computing projects...and I can't say too much about one of them
because I just
| invested two years in a project I can't talk about yet)
| joe

Heh we could be on the same team... but I have seniority by at least three
years

| On Wed, 14 Jun 2006 16:12:39 -0700, "Ed Weir \(ComCast\)" <Anon@xxxxxxxx>
wrote:
|
| >"Joseph M. Newcomer" <newcomer@xxxxxxxxxxxx> wrote in message
| >news:r0ft82drh8qdsk83lii8ltdke71nc42bpd@xxxxxxxxxx
| >| You point out the absurdity of most hand-rolled "copy protection"
schemes.
| >Look how much
| >| more complex your solution is, and I suspect it is just a beginning,
based
| >on some of the
| >| consulting I've done. The actual copy protection means in most
| >proprietary products is
| >| considered secret for obvious reasons, but I've worked with several
| >clients who thought
| >| they'd "solved" the problem on their own ("we don't need to spend money
on
| >some commerical
| >| product!"), and I was able to demonstrate ways of cracking their
schemes
| >within a day (I
| >| used to have an anonymous account that I used to lurk on cracker
| >newsgroups. Anyone who
| >| thinks they can roll their own copy protection scheme should do this
| >first. Discover how
| >| trivial it is to crack ANY software-only scheme. Realize that even the
| >best commercial
| >| software-only products, written by experts in these areas, are highly
| >vulnerable. Then
| >| give up and get a hardware-related product with a dynamic
| >challenge-response mechanism and
| >| high-level encryption, and you MIGHT have a chance of keeping your
| >software secure...)
| >| joe
| >|
| >| On Mon, 12 Jun 2006 20:06:05 -0700, "Ed Weir \(ComCast\)"
<Anon@xxxxxxxx>
| >wrote:
| >|
| >| >"Bruno van Dooren" <bruno_nos_pam_van_dooren@xxxxxxxxxxx> wrote in
| >message
| >| >news:ug75QYgjGHA.3440@xxxxxxxxxxxxxxxxxxxxxxx
| >| >|> I am working on a MFC application. I need to identify
every
| >| >| > system which uses this application. How can I do this using MFC?
Is
| >| >there
| >| >| > any unique identifier for a PC which can be retrieved using MFC?
| >| >|
| >| >| You can find the computer SID in the registry.
| >| >| More details over here:
| >| >| http://www.sysinternals.com/Utilities/NewSid.html
| >| >|
| >| >| --
| >| >|
| >| >| Kind regards,
| >| >| Bruno van Dooren
| >| >| bruno_nos_pam_van_dooren@xxxxxxxxxxx
| >| >| Remove only "_nos_pam"
| >| >
| >| >This use of an SID is woefully inadequate for security, as the site
you
| >have
| >| >referenced illustrates so well; anyone can change the SID of a
computer,
| >so
| >| >how can we expect the data on our hard disk to be secure? This is
just
| >one
| >| >more example of dangerous security assumptions and coding done by the
| >| >'experts' at MSFT.
| >| >
| >| >A more secure method would be to create a one-way sha-256 or AES-256
hash
| >| >of:
| >| >1.) volume ID + SN
| >| >2.) User ID
| >| >3.) User domain
| >| >4.) Machine name
| >| >5.) OSINFO
| >| >6.) User PIN or passphrase
| >| >
| >| >to lock the user to the hardware in use. In the event of a hardware
| >failure
| >| >the last element can be used to recover the ID if necessary. There is
of
| >| >course more to it than this, certain code which needs to be written to
| >| >implement the hash and to later validate it as well as to recover the
ID
| >| >after hardware failure or machine migration.
| >| >
| >| >Point is, the SID is anything BUT secure...
| >| >
| >| >-- Ed.
| >| >
| >| >-----------------------------------------------------
| >| >hex->bin->b64
| >| >F9E7707A2AF502D0A899C6ACB43A2D35EB7E
| >| Joseph M. Newcomer [MVP]
| >| email: newcomer@xxxxxxxxxxxx
| >| Web: http://www.flounder.com
| >| MVP Tips: http://www.flounder.com/mvp_tips.htm
| >
| >You nailed it. Only use the internet connection as your 'hardware', and
a
| >server you control as your 'dongle'. Since most applications are
internet
| >related, this will solve the problem for a good percentage of
applications
| >needing protection against piracy.
| >
| >Secret methods are kept secret in complete ignorance of the principles of
| >Applied Cryptography; you must always assume that an attacker has full
| >knowledge of how your scheme works, and will (quickly) devise an attack
if
| >the target is worth the effort. You are only as secure as the cost of
the
| >attack exceeds the worth of the prize. You have succeeded in attacking
your
| >targets because of the relative ignorance of the victims. Unfortunately
| >(for all of us), not a great feat.
| >
| >The more complete solution would be to:
| >1) Educate every user in secure usage and practices
| >or
| >2) Design systems that are intrinsically secure* without having to
depend
| >on user competence in security
| >
| >E.G.; What if your laptop gets stolen - is your data on it secure from
| >attack?
| >
| >I just got a letter from the Gov't that my service information has been
| >compromised. How did this happen?
| >
| >-- Ed.
| >
| >-----------------------------------------------------
| >hex->bin->b64
| >F9E7707A2AF502D0A899C6ACB43A2D35EB7E
| >
| >* The cost of attack exceeding the value of the prize
| Joseph M. Newcomer [MVP]
| email: newcomer@xxxxxxxxxxxx
| Web: http://www.flounder.com
| MVP Tips: http://www.flounder.com/mvp_tips.htm

.

Relevant Pages

  • Re: How can I identify a system uniquely using MFC code
    ... If my laptop is stolen, there is no security issue, because I make it a point to never ... (and if you believe that the Next Generation Secure Computing Base will actually make ... The TCB (Trusted Computing Base) does solve some important problems in computer security, ...
    (microsoft.public.vc.mfc)
  • Re: Formatting a Social Security Number
    ... Regardless of which DBMS is used, storing data that has sensitive ... information on a laptop is a recipe for disaster. ... Good security practices are important. ... Secure everything, if anything on a system is in anyway sensitive. ...
    (microsoft.public.access.formscoding)
  • Re: In light of what has happened with the theft of the VA laptop, what are the "best practices" for
    ... system you can preety much break any kind of security. ... planning to use drive encryption, better make sure you have way to get ... any confidential stuff on your laptop, rather keep it on secure ... Your better bet would have been to have the laptop act as a thin client to ...
    (Security-Basics)
  • OT ? Computing nirvana... new HP hdx laptop, F8 and dolphin. :)
    ... My laptop died a while back so I bought a new HP hdx9494 on the weekend. ... If you guessed that the hdx is heavy, ... hardware is only half the computing equation. ... If I come to the conclusion that I need Windows on my hdx, I'll install XP ...
    (Fedora)
  • Re: [Full-disclosure] Undisclosed breach at major US facility
    ... If the effects of HIPAA, SOx, GLBA et al could be measured in dollars, it has cost corporations millions of dollars in software, hardware and personnel expenses. ... A perfect example of the dichotomy between what should be and what is is the recent theft of a laptop with millions of VA records on it. ... Furthermore, I'm certain that the theft of the laptop never crossed the mind of the employee who took the records home or of his supervisors, who merely winked at the violation of policy, because they were more concerned about getting "extra" work out of the employee than they were about the potential loss of data should the laptop be stolen. ... When passwords finally go away, almost one-half of the security problem will be solved, simply because humans will no longer be making decisions about what constitutes a secure authentication methodology. ...
    (Full-Disclosure)