Bill Mill wrote: > Your only solution, then, is to write unpopular code. Because, as Alex > said, it will otherwise be broken into. Let's look at two very popular > pieces of code: Half-Life 2 and Windows XP. How are they secured? > Previous version of these software products used sophisticated > client-side programming to try and be secure, but the security was > nonexistant. Users share keys and cracks with each other.
and Mike Meyer wrote: > What makes you think this is the case? There are ways to distribute > Python modules so that the user can't just open them in a text > editor. There are also ways to get cryptographic security for > distributed modules. Yes, if you use the same methods you use in C++, > it's "much harder". But by the same token, if you tried to use the > methods you'd use in a Python program in C++, you'd find that the C++ > version was "much harder". > > Of course, as Alex pointed out, all of these are just keeping honest > people honest. The crooks have all the advantages in this game, so you > really can't expect to win. Funny you should mention Half-Life 2. I actually went out and bought Half-Life 2 from the store instead of waiting for a crack to be released (the unique scheme they used meant that crackers will take a little longer than usual). I really wanted to play this game (i.e., it's very popular) and couldn't wait. My brother is bugged by Civilization IV's copy protection. A couple of days ago, after consulting me on what other options he could try, he finally said in frustration, "Maybe I should go buy the game." This is a personal anecdote, but I'm sure it applies to at least some people. Obviously I'm not an honest person. But I'm not so against spending money on software that I won't buy it if there's a pretty good copy protection system on it. The "keeping honest people honest" argument is simplistic and as Ben said, "black and white thinking". Ben's analogy of the house is not a perfect example, but it's still a fair one. You know that if some one really wants to break into your house, he will get in, regardless of your sophisticated laser trip wire system, ex-SAS guards, and genetically-engineered guard dogs. But as long as the cost of protection is less than the cost of the item you're protecting (multiplied by the relevant probabilities, factoring recurring costs, etc), it's worthwhile to spend money on protection. If that fails, then you will of course fall back on the law, but you still try to prevent it from happening in the first place. I do believe that code obfuscation and copy protection measures work, to a limited extent. Few software companies believe that their copy protection will be uncrackable (though their marketing droids may say otherwise), but are most willing to invest in it to at least temporarily stave off the piracy. Distribution of python modules as compiled bytecode is a limited form of obfuscation. Some believe it's enough. But if there's a free obfuscator out there than can increase the difficulty of reverse engineering, why not use that too? Costs you nothing, and may get you a customer or two more before some one manages to crack that. Obfuscation has it's place. It's not the final solution for software protection (and there probably isn't one), but it is one more lock you can use to deter or delay theives. You can't expect to win against determined theives, but you can remove as many advantages that they have. > Now, both of these programs require verification (phone and/or web) to > be used. The only truly secure method of assuring that they're not > used in ways you don't intend is to require the user to contact you to > use it, and that's a deal with the devil. One you might need to make > if security is that important to you, as Microsoft and Valve have > decided it is, but it's a deal with the devil nonetheless. This seems to be opposite to what you said in the previous paragraph. Contacting and verifying with the company every time you use the software is obviously not "the only truly secure method", since there are cracks and keys floating around. It is also not quite as evil as it may seem, since authorization is only required on initial use (and online gaming). -- http://mail.python.org/mailman/listinfo/python-list
