Comment On Lock In Key Security

Fantastic security!

I remember a shareware password recovery app (uncovering characters in password field text boxes) that would only report the first half of your passwords (so, for an 8-character password it would only report the first 4 - you had to register for the others). Simply pad the password to twice the real length and there you have it!

Suddenly I'm hungry for 3773 kr@xx0rs. Does kraft make them?

Excellent!

The message here: Don't just tell your coders what to do, tell them what to do and what its purpose is...

Thats the worst error message possibile. Wonder how many calls this Brian person gets a day.

capatcha: truthiness

sadly this has made my day 

CAPTCHA : wtf

This has got to be one of the funniest WTFs this year. I literally laughed out loud really badly after reading that second dialog. This reminds me of the original Windows Update hack where you just set RegDone to 1 in the registry under HKLU/Software/Microsoft/Windows/CurrentVersion. lol...

ROFLMAO

At least the guy didn't re-invent the wheel like Jed did.

Haha... sad really because anything that looks at the date for anything can be fooled by setting you system clock back. Unless of course they go out to the internet to get the time but who would use that?

Anonymous:

Thats the worst error message possibile. Wonder how many calls this Brian person gets a day.

I'm surprised Brian even works there still. He must have been pissed when he found out the developers hard-coded his name and telephone number into production software.

Alex, why did you anonymize the dialog box? Just blur out the last name and a few digits of the phone number. I like my WTFs as authentic as possible!

Oh yeah, the real WTF is that leetspeak primer for parents linked to in the article:

Stupid Microsoft Website:

Leetspeak, or leet for short, is a specific type of computer slang in
which a user replaces regular letters with other keyboard characters to
form words phonetically.

(Emphasis mine.) Leetspeak isn't phonetic at all. You can't "sound out" the characters (()!)*x3|_. It's kind of like a pictogram maybe -- but there's certainly nothing phonetic about it. YAMB*.

*Yet another Microsoft bug. (I'm trademarking this acronym.)

OOB:

Haha... sad really because anything that looks at the date for anything can be fooled by setting you system clock back. Unless of course they go out to the internet to get the time but who would use that?

Not really.  you just store the system date somewhere each time your app is run and/or store the fact that your app has already expired (in a not-so-obvious manner, of course).  Pretty easy to figure out when the clock has been messed with.

Alex Papadimoulis:

Who woulda thought that becoming a "3773 kr@xx0rs" would be so easy?

This is
like stealing Mona Lisa and accidentally leaving her behind while buying a
burger. I feel sorry for the guy who coded the copy protection. It was all in
vane.

Captcha what?

Grr...I remember a freeware program (forgot the name of it) that started complaining "go to some website and get the newest version" after a while. Rather annoying since I didn't have the web! Ended up having to fiddle the system clock when I wanted to use it.

But yeah...that is one huge cock-up.

savar:

I'm surprised Brian even works there still. He must have been pissed when he found out the developers hard-coded his name and telephone number into production software.

Somehow I doubt that an actual fully-fledged with office and everything company produced this software. I have the feeling that Brian is an independent developer, and the number posted was a personal line.

Eons ago, I had a demo copy of Quicken Quickbooks.  It was made for Windows 3.1.  It was fully functional, with a limit on the number of times you could run it. Considering the pricetag, the best security they could come up with was a line in the INI file like, "RunsRemaining=30".  Brilliant.

i remember the first time i 4ax0red a program--i was like 12, i heard rumours that on aol it was required to put the serial number somewhere within the program but obviously not tell the public...so one program (i think it was lprint or something) and i just typed in my name and typed in their zip code for the cd-key and lo and behold it actually worked.  it was the only program  i was ever able to do this trick with so i dunno how true this rumour was.        

Alex Papadimoulis:

I mean, "kr@xx0rs." Err, I think. I don't know. I got that from my "3773 Speek" guide.

Err, shouldn't that be 1337?  Or what might "Ette" possibly mean?  Or were you just trying to be funny?

Well this is an interesting WTF

That's not fair. The file specifically told him, "Do
Not Modify".

Anonymous:

Eons ago, I had a demo copy of Quicken Quickbooks.  It was made for Windows 3.1.  It was fully functional, with a limit on the number of times you could run it. Considering the pricetag, the best security they could come up with was a line in the INI file like, "RunsRemaining=30".  Brilliant.

And there was this RTS game that was made to run without it's CD by a few switches in if...else clauses in the assembly code.
Yes, I remember being taught how to do it. Which makes me loathe the software published by that house.

Rarely I go "WTF!?" after reading a WTF, but today's WTF made me go "LOL!" (yes, phonetically!).

 

I bet this was a hint from "Brian" who hoped it will help him to avoid annoying calls after he'd retire.

Nice choice of phone number. Is that your standard?

I had a game (<tinfoil-hat>relatively recently, so I won't give details</tinfoil-hat>) that required the CD in the drive to play, even if you did a full installation.  That is, until I noticed that it stored the letter of the CD-ROM drive in its configuration, and could be tricked by changing it to point to the directory the game was installed into.

How about the fact that it the pop up had the expected key value?  I think I am going to put that in the app I am currently working on.  "Could not find user 'John Smith.'  Did you mean to login with a username of Admin and password of God?"

GeekMessage:

Alex Papadimoulis:

I mean, "kr@xx0rs." Err, I think. I don't know. I got that from my "3773 Speek" guide.

Err, shouldn't that be 1337?  Or what might "Ette" possibly mean?  Or were you just trying to be funny?

It translates to "eat crackers". :D

Anonymous:

Suddenly I'm hungry for 3773 kr@xx0rs. Does kraft make them?

Mmm, kr@xx0rs... (Do they come in barbeque?)

Why 2010?

The problem will recur in 4 years.

wow, that is exactly what I encountered at my job this day. Some poorly designed application returns something to VBscript if the right hash is provided. If the hash isn't right, it will say 'should've been this one'. "How come you need a hash in the first place?" I asked my colleague. "well, I can't remember, but it had a véry good reason." Yeah right...

I do tricks like this practicly every week, had a few that were just change 0x74 to 0x75 (single jz / jnz) and it'd work beautifuly.

Anonymous:

Why 2010?

The problem will recur in 4 years.

By then Brian Emmit would have become AOL's CEO.

iwpg:

I had a game (<tinfoil-hat>relatively recently, so I won't give details</tinfoil-hat>) that required the CD in the drive to play, even if you did a full installation.  That is, until I noticed that it stored the letter of the CD-ROM drive in its configuration, and could be tricked by changing it to point to the directory the game was installed into.

Many (all?) Unreal engine games worked like this.  In the [gamename].ini file to be precise.  I have done this on my (legal) copies of Unreal, Unreal Tournament and Deus Ex so I'm assuming its built into the engine.  Given you say relatively recently I'll assume this practise is still in use in some departments.

Digitalbath:

How about the fact that it the pop up had the expected key value?  I think I am going to put that in the app I am currently working on.  "Could not find user 'John Smith.'  Did you mean to login with a username of Admin and password of God?"

My thoughts exactly.

cheat codes are for lamers!

Most UT games these days just disable CD checks with the later patches.

The real WTF is that the expiration date in the license file used a 4-digit year, which is much less efficient than simply using 2 digits.

CAPTCHA: captcha

Anonymous:

I do tricks like this practicly every week, had a few that were just change 0x74 to 0x75 (single jz / jnz) and it'd work beautifuly.

oh yeah, you are real "krakzor". try to make a keygen instead of patching conditional jumps.

i don't understand how this type of protection like "bpx MessageBoxA, here's your serial number" will stop anyone.

Wasn't trying to been a 3773 krakzor, just saying how easily some of them are defeated.

CAPTCHA: genius

... and if you want to be really 'leet, you might want to use something like 7337 or !337 instead of 3773.   ;-)

captcha: captcha. (Seriously.)

Anonymous:

Nice choice of phone number. Is that your standard?

Jenny is the bean bag girl.

qbolec:

Rarely I go "WTF!?" after reading a WTF, but today's WTF made me go "LOL!" (yes, phonetically!).

Rarely do the WTF's here make you say WTF!? Where do you work? I would just like to know, so to avoid it should I look for a new job in the near future. ;-)

 

No wonder Brian don't do that any more. Can't offer ya' any help with it, either.

He put himself out of business!!

Anonymous:

i remember the first time i 4ax0red a program--i was like 12, i heard rumours that on aol it was required to put the serial number somewhere within the program but obviously not tell the public...so one program (i think it was lprint or something) and i just typed in my name and typed in their zip code for the cd-key and lo and behold it actually worked.  it was the only program  i was ever able to do this trick with so i dunno how true this rumour was.        

Now you make me feel *really old*.

When I was 12 AOL did not exist yet.  Actually, the Internet did not exist.  DARPA had not started a network.  There were no personal computers.

However, I could play PONG at the local arcade (or bowling alley) for a quarter!

A few days ago, when making that "recieved" message box with spell checking, I thought: Why not make a contest for faked WTF message boxes, dialogs that are so absurdly WTF that it's obvious that nobody can be that stupid. My first idea for a faked message box appallingly matches todays WTF. Well, there goes my idea. Why make a contest for faked message boxes when you can't distuingish them from real word WTFs?

There are lots of posts about poorly written authentication - as though the authentication really HAS TO BE PERFECT AND UNCRACKABLE in order to work.

The truth, however, is quite different. Stupid schemes such as writing "RunsRemaining=30" in an ini file is PERFECTLY SUFFICENT to stop most users. There are a very few people who will actually look into an obscure file in the Windows directory to look for this.

99.99% of everybody else will call and get an updated license, and pay the $50 to not have to see the message.

CAPTCHA=stfu

Well, those 0.01% were only able to access those .ini files because they're familiar with
the technical details of the system. No one else would ever be able to
actually figure that out on their own.

A typical person would use google and download the "crack" that does exactly the same, but automatized. I know lots of people who does it.

m0ffx:

Grr...I remember a freeware program (forgot the name of it) that started complaining "go to some website and get the newest version" after a while. Rather annoying since I didn't have the web! Ended up having to fiddle the system clock when I wanted to use it.

But yeah...that is one huge cock-up.

I remember Winzip used to complain if you use it more than a certain number of times without registering (wouldn't stop you using it, it would just complain). Being in College and poor, I found the file that stored the number of times it had been run, and reset it to zero.

Ekklon:

A typical person would use google and download the "crack" that does exactly the same, but automatized. I know lots of people who does it.

IMO anyone who downloads a crack and uses the same computer for anything important, e.g. internet banking, is at least grossly negligent.

Anonymous:

There are lots of posts about poorly written authentication - as though the authentication really HAS TO BE PERFECT AND UNCRACKABLE in order to work.

The truth, however, is quite different. Stupid schemes such as writing "RunsRemaining=30" in an ini file is PERFECTLY SUFFICENT to stop most users. There are a very few people who will actually look into an obscure file in the Windows directory to look for this.

99.99% of everybody else will call and get an updated license, and pay the $50 to not have to see the message.

I agree security only needs to be appropriate to the task and that in many cases simple security is sufficient.

But for quite a lot of applications editing the ini file is a completely normal way of configuring the app. Putting a parameter in there (unhashed) doesn't even qualify as simple security.

And your 99.99% is way optimistic. I reckon that the majority of 12-year olds would crack this, either by working it out themselves or by simply loooking it up on the net.

Anonymous:

i remember the first time i 4ax0red a program--i was like 12, i heard rumours that on aol it was required to put the serial number somewhere within the program but obviously not tell the public...so one program (i think it was lprint or something) and i just typed in my name and typed in their zip code for the cd-key and lo and behold it actually worked.  it was the only program  i was ever able to do this trick with so i dunno how true this rumour was.        

Not quite a hack, but I was pretty proud of cracking the save game feature in the Lord of the Rings game for the Super Nintendo.  It required you to type in a long string of letters and numbers (and to write down the string in order to "save" the game).  My friends and I realized that different substrings of the save string represented the members of the fellowship, their levels, and their inventories.  There was also a section that indicated the progress through the game of the fellowship, and the last part was the group inventory.  So it was pretty easy to change the section of the string that specified the location of the group and teleport around the world.  Or you could add all the members of the game to your group from the very beginning (along with high levels and the best equipment).  Good times.

It's a lot of bad attempts to "secure" a particular type of software like this. I remember I had my moment as a l33t cracker. I was trying to install the 'PowerDVD' program that comes with the D311(manufacturer name confusicated so I won't get any lawyers on my neck...) computers on my homemade computer. On my first attemt to install the software the installation process was halted and telling me that this software was only ment for D311 computers. I started to look at the files on the installation CD and found one text file with the following line (I dont remember which one):

Hardware ="D311"

I copied the files to my hardisk and changed this line to:

Hardware = "Asus"

I could now install PowerDVD.