Log in

View Full Version : Opinons on the key file?


Pages : [1] 2 3

jdobbs
24th May 2005, 13:06
For those who received the Pro Version last night, what do you think of the new key mechanism? Do you think it's easy enough? I'm trying to limit distribution of the software without being too intrusive.

So far it appears the most common source of problems was in naming it with a ".key" extension. Several folks tried to execute it and got an error message from XP saying it wasn't a valid registry key. It also appears that I wasn't clear enough in my e-mail as to what to do with it. All you really have to do is copy it to the directory that contains REBUILDER.EXE. Nothing more.

Feekback is welcome.

(Added Note: The "Error 13" some folks got that was corrected in v0.93.1 was not related to the keying at all).

buzzqw
24th May 2005, 13:31
Not a big problem, download one file or two isn't a problem.

if you think this is a good choice for you rights so it's good also for me (what a bad english...)

BHH

Fiebre
24th May 2005, 13:32
I like this. Personally I had no problems with it at all; just put it in the folder the executable created and ran slick.

valnar
24th May 2005, 14:22
I did have to read your email a couple times as it wasn't clear where to put it, but I figured it out. ;)

Robert

jptheripper
24th May 2005, 14:25
works fine

ScooterMyth
24th May 2005, 14:35
Received the email last night. Read the text slowly without moving lips and it installed perfectly. Downloaded the key file and placed it where I was told to place it and started DVD-RB without a problem. This protection will work fine just as long as the PRO version is not available for public download. Anything requiring a "key file" is crackable and will be pirated quickly if available.

jdobbs
24th May 2005, 15:13
Originally posted by ScooterMyth
Received the email last night. Read the text slowly without moving lips and it installed perfectly. Downloaded the key file and placed it where I was told to place it and started DVD-RB without a problem. This protection will work fine just as long as the PRO version is not available for public download. Anything requiring a "key file" is crackable and will be pirated quickly if available. Yeah. That worries me. It seems like a lot of work to steal software that exists so far on donations alone. But no matter what method you use, it seems, someone will hack it or get around it somehow. There were a couple of times in earlier versions when someone posted his/her personal copy on BitTorrent... and the trickle of donations turned into a complete stop. I'm not sure there is much I can do besides ban the person who distributes it.

Of course I could always trust the inherent honesty of mankind.
;)

artoor
24th May 2005, 15:13
hehe... before I read changelog I put the licence key to DVD-RB folder :D end it works :) Great solution jdobbs.

hobyho
24th May 2005, 15:51
I have no issues with the new protection scheme as well. In my opinion it is not intrusive at all, and works fine. Do what you have to do to protect your work jdobbs.

Again thanks for your work on an excellent piece of software. :)

borgraf
24th May 2005, 16:51
works like a charm, and it's simple enough :)

Rippraff
24th May 2005, 17:11
Besides the runtime error 13 no problems. ;)

Originally posted by ScooterMyth
This protection will work fine just as long as the PRO version is not available for public download. Anything requiring a "key file" is crackable and will be pirated quickly if available.
100% my opinion.
Now since RB Pro is public for download I fear that it will not take very long until a crack version can be found.

Originally posted by jdobbs
Yeah. That worries me. It seems like a lot of work to steal software that exists so far on donations alone. But no matter what method you use, it seems, someone will hack it or get around it somehow. There were a couple of times in earlier versions when someone posted his/her personal copy on BitTorrent... and the trickle of donations turned into a complete stop. I'm not sure there is much I can do besides ban the person who distributes it.
Black sheep exists everywhere, but now you have to compare the number of people on your VIP list with all others who want to steal your work. :angry:

Just my two cents.

Cu Rippraff

jdobbs
24th May 2005, 17:32
I would have just continued with my previous distribution method -- but my current 768Kbs outgoing connection is the fastest available, and as soon as 3-4 people would start downloading it would crawl and the "what's wrong with your suck-ass system" e-mails started coming in. And that was before the installation package which comes in at 4.75MB. Hosting somewhere else (out of my administrative control) is pretty much a guarantee that versions would start floating around -- and I couldn't confidently conclude it was distributed by the same person to whom it was registered. So this was my choice on the horns of a dilemma.

I'm certainly open to suggestions -- and it is very possible it may change again before v1.00.

samuelal
24th May 2005, 18:19
jdobbs.

All went a-ok with the deployment of the v0.93.1 over here.
Downloaded the .zip version + .key.

All was smooth.

Thanks again for your concern!

RaistlinMajere
24th May 2005, 18:50
Found the key file very easy to use. Nicely implimented

With the regularity of which you update the program if you change the keys for each version and Vip members download the tiny sized individual key from your server and the main part of the program from somewhere like doom9 you should be able to keep ahead of the hackers. By time someone took the effort to hack it and post it on a warez site a new version would most likely be available. Anyone posting a key could be banned and the posted key would be only good for that version, minimizing damage.

Why do people seek to rip off someone who puts in so much hard work and time into a program that is also available freely if you don't mind been a few versions behind.

bteamfox
24th May 2005, 21:50
When I installed from 0.92 to 0.93.1 I got "key file missing" then I thought wally, forgot to but the .key file in the folder. I was going to double click it but didn't as I wasn't sure if I need to or not so I tried running RB. I got error 13. At this point I decide to Download the Installer version of 0.93.1. Installed, place .key folder and bingo it ran. As a windows user for a long time I was tempted to try and double click the .key file as I thought you should, was just luck I didn't, as I wanted to make sure if I needed to or not. Dont know why it didnt work when I replaced 0.92 exe with 0.93 exe. I guess I had a file missing or something. Anyway the Installer version was much nicer to use. I thing I would like included in the installer version is a .bat file with this in it -

REM Run DVD Rebuilder in low cpu mode.
start /low rebuilder.exe

as you dont have a cpu priorty setting this does make my pc more usable whilst encoding. (Just a thought).

My thoughts on the .key file protection system is personnly I like it because -

I buy software & Key. I can install on my pc. I can save my Purchased software and key to a CD/RVD. If ever my pc needs reinstalling, I just install RB and copy the key file over and away I go again. (I dont have to request another key and have to wait for it, like some software). I know all programs get cracked but for me as a legitimate user I am happy with this protection. I guess If I lose my key file I can request it to be emailed to me again anyway.

People that let there keys out into the wild should be breaking your terms and conditions of use and there fore they forfit the right to use the software and get banned from upgrades or what ever you want to do to them,(electric chair maybe) ;) If a crack is made for RB Pro then Release and updated version with say an extra new feature which needs a new key.

I guess it also makes a differerance if the software will have a Set price or will remain donation ware, Pro version Set Price, non pro version donation ware? You could make the pro version so the the key is a for life key. The non free donation ware version would work for a month say then people would have to download a new version for the next month this would encourage them to donate enough to buy a full key license?

Well that's my thoughts any way

To sum up I like this system.

jdobbs
24th May 2005, 21:59
You're right about the urge to double click on the file. I got a few e-mails today from folks who did. It gave them a "this ain't no registry key" error... maybe I could come up with another extension besides ".key" and have Rockas register it when it installs. That way DVD-RB would execute when the key was double-clicked -- and would copy to the correct directory.

bteamfox
24th May 2005, 22:13
I don't know how many character you can have for and extension for sure in windows but I have not seen any thing more then three so why not simpley use ".RBP"? The method you mention of installing the extenstion on install then peopl double clicking the ".RBP" file which would then install the file into the correct place sounds good to me. :)

Rockas
24th May 2005, 22:15
Originally posted by jdobbs
You're right about the urge to double click on the file. I got a few e-mails today from folks who did. It gave them a "this ain't no registry key" error... maybe I could come up with another extension besides ".key" and have Rockas register it when it installs. That way DVD-RB would execute when the key was double-clicked -- and would copy to the correct directory.
I guess that would be an easy thing to do :)
I was plannig to do it with the .rbd files, anyway :)

TECK
24th May 2005, 22:26
Originally posted by jdobbs
You're right about the urge to double click on the file. I got a few e-mails today from folks who did. It gave them a "this ain't no registry key" error... maybe I could come up with another extension besides ".key" and have Rockas register it when it installs. That way DVD-RB would execute when the key was double-clicked -- and would copy to the correct directory.
Something like .lic will solve the problem. What do you think of an encrypted name?
Like adsfh68sadhgag46.lic to protect user's identity...

robot1
24th May 2005, 22:27
I had no problems with the .key file. Probably a new extension would be better.
A suggestion: when you start DVD-Rb without the keyfile, instead of throwing an error, could you open a filebrowser window to locate the file (so DVD-RB copies it in the right location)?
Registering the extension (for doubleclickers...) could be a good idea too.

jdobbs
24th May 2005, 22:42
Originally posted by TECK
Something like .lic will solve the problem. What do you think of an encrypted name?
Like adsfh68sadhgag46.lic to protect user's identity... That's exactly the opposite of what I want. If someone spreads a key around -- I want everyone to see his/her e-mail address...

Rippraff
24th May 2005, 22:52
Originally posted by TECK
Something like .lic will solve the problem. What do you think of an encrypted name?
Like adsfh68sadhgag46.lic to protect user's identity...
Funny idea! If users use only their own version, there's no need to encrypt the name. If not jdobbs will be glad to see who's the bad guy... :sly:

Cu Rippraff

Edit: to slow... ;)

Axlemar
24th May 2005, 23:23
Well, for a retail version there has to be some sort of serial / key license system. The bad thing about the key file is that it can eventually be messed with, but I guess that is the same with everything. The most effective way to track it would be to make it call home to some database and check that the key / serial in use matches up and is currently in use by one person, but that would be a pain and might cause other problems. I personally think the key file works fine for now.

Also, it would seem to be a bad idea to not encrypt the file since there is a chance someone could guess or find the address of other users.

p200002
24th May 2005, 23:24
I wasn't able to download key file because the server could not be found. Any one has similar problem?

Axlemar
24th May 2005, 23:29
My key is still downloadable.

p200002
24th May 2005, 23:34
couldn't figure out why, now it seemed OK. Is dvd-rb.com new domain just registered, jdobbs?

Rockas
24th May 2005, 23:38
Also, it would seem to be a bad idea to not encrypt the file since there is a chance someone could guess or find the address of other users.
Well I guess that can happen but it will be very hard to guess the "contents" of the file, don't ya think? http://www.thestylemachine.com/smileys/juas.gif

MCFish
25th May 2005, 00:03
Originally posted by Axlemar
The most effective way to track it would be to make it call home to some database and check that the key / serial in use matches up and is currently in use by one person, but that would be a pain and might cause other problems.
Also, it would seem to be a bad idea to not encrypt the file since there is a chance someone could guess or find the address of other users.

Online checking is a bad idea for a program not related to the internet at all. Its only usable for gamebrowsers, mailservers etc.
Many people use dvdrb on computers not connected at all(why should they be for rb), so you cant force them to just to allow dvdrb to start. wouldnt be fair.
Content of key, seems encrypted allready. and guessing of address is doable without dvdrb :) one can guess anything. i personally think the address should be left outta the whole keyfile thing. a name would have been enough. jdobbs could still see whodunnit. but it will also force people to take better care of their files in its current state.

jdobbs
25th May 2005, 00:46
I obviously don't agree. The e-mail address is the single most important thing that keeps it from being distributed. I can assure you that will never change.

The one alternative I'm thinking of is a two part key. You get the key and then have to register it with your e-mail address. That way if it did get distributed without the address it wouldn't work... unless the address accompanied it.

MCFish
25th May 2005, 01:04
ok ok :)

Yes. sounds good if you can make that work. how do you make an email activate the key without a reference to a valid email? then every key must have its email embedded in encrypted form? lol, im outta my league here. does that make sense?

jdobbs
25th May 2005, 01:19
You don't necessarily need the key embedded... there are lots of ways you could do that with a single byte or two. The important part is that there is a a "shared secret"... which is what the address would be in that scenario.

MCFish
25th May 2005, 01:30
sounds good. if that dont alter the keyfile. you have to make sure key doesnt work anywhere else, after i have put my email in.

arsmori
25th May 2005, 01:45
Nothing like silent updates to thwart crack/keygen users.
Not that I know anything about that, just saying...

rayvt
25th May 2005, 05:10
If you want to do some sort of two-stage security key, just use Diffie-Hellman. It's a simple protocol, and the data exchanges could be done via email.

Or maybe have the openly-available downloadable DVD-RB file a password protected zip or rar file, and legit users get a key which contains the password.

Thing is, if the pro version of RB is downloadable, it WILL be cracked in short order. You can take that to the bank. The only way this won't happen is if the dl'able file is encrypted with a strong algorithm--and that pretty much means a password protected archive.

You'd still have the problem of a legit user leaking his key, but that's the same problem that already exists, so it wouldn't be any worse than it is now. But it would solve your download bandwidth problem. And if the password leaked out, you could change the password on the archive and plug the leak immediately.


Hmmmm, this is getting interesting (can you tell I'm a software engineer?) How about something like this:
* Put the new version (password protected zip) on a well-known public server.
* Email the notice and personal key to all VIP users.
* Users dl the zip, and execute a "get my key" program that's in the zip.
* This program takes as input the user's key from the email, and uses it in the 1st step of a D-H key exchange. It generates a text string which is the D-H data.
* This data is emailed to you (or somewhere under your control) and automatically goes to the D-H program. The output of this is the D-H agreed-on key, which is used to send the zip password to the VIP user.
* VIP user then uses that password to get RB executable from the zip file.

Of course, the email steps could be a web-based thing, too. I'm assuming that you already run a server. If so, it's even easier and quicker than emailing the stuff.

Sounds complex, but it's really not. We did a very similar thing a few years ago at my work, in a data-radio Public Safety system. If you want to persue something like this, I'd be glad to code it up for you.

jdobbs
25th May 2005, 11:53
Well, whatever I do with the key file it will have to change. The e-mail feedback from the non-techies hasn't been good at all. It also seems that for some reason links ending in ".au.key" are somehow losing the ".key" and the browser is trying to play the file as audio... so if anybody wastes their time cracking this one it won't be good for long...

ScooterMyth
25th May 2005, 13:58
@rayvt
You have some very good ideas about implementing security. I agree that the PRO version of the program should not be available for anonymous download. This in the end is probably the most secure. It's not foolproof but it's like locks on a door, it keeps the honest people honest! ;)
@jdobbs
Great work on this program. I look forward to the "finished" version as the beta is doing a great job now.

Edsel
25th May 2005, 22:54
My thoughts:

Ditch the .key extension. That's a predefined extension, only confusion results from doing so. You wouldn't choose .mp3 if it wasn't a music file, etc. Something like xxxxx-key.bin, would be better.

Better yet, if you actually store the key in the registry, then a .key file would be perfect, and double clicking would have been fine to install it. This is especially true for non-techies, copying and pasting is a much more difficult operation than launching.

I really wouldn't spend a lot of time developing complicated protections. They don't take any longer to crack than simple ones, all it does is waste your time. And as you've seen, adding protection starts costing you customer support time as well.

You release new versions often enough that it functionally works as protection. Just make it so each version or two requires a new key.

p200002
25th May 2005, 22:57
Originally posted by Edsel
My thoughts:

Ditch the .key extension. That's a predefined extension, only confusion results from doing so. You wouldn't choose .mp3 if it wasn't a music file, etc. Something like xxxxx-key.bin, would be better.

Better yet, if you actually store the key in the registry, then a .key file would be perfect, and double clicking would have been fine to install it. This is especially true for non-techies, copying and pasting is a much more difficult operation than launching.

I really wouldn't spend a lot of time developing complicated protections. They don't take any longer to crack than simple ones, all it does is waste your time. And as you've seen, adding protection starts costing you customer support time as well.

You release new versions often enough that it functionally works as protection. Just make it so each version or two requires a new key.

Even bin is confusing since there are bin/cue for image burning.:D

jdobbs
26th May 2005, 00:14
I'm thinking "rbk" for "rebuilder key"

ozzii
29th May 2005, 08:05
The key with rbk is a good think.
And why not to host your VIP version on a free server (like mytempdir.com). Like that you don't use your bandwidth and you can send the link just for the VIP members ;)

TECK
29th May 2005, 08:28
1568-2252-0872-5381.rbk

The above code key will give out the owner identity to developer.
License ID: 00000001
Username: teck@email.com

If I put this on the Internet, I will get instantly banned from future upgrades.
The dev should also consider a 'callhome' feature, just to make his life easy. :)

MCFish
29th May 2005, 10:47
Originally posted by Edsel
I really wouldn't spend a lot of time developing complicated protections. They don't take any longer to crack than simple ones, all it does is waste your time.

not entirely true. just look at Starforce. not that he should make a cd protection :), but its a better protection and harder to crack.

ozzii
29th May 2005, 12:15
Originally posted by MCFish
not entirely true. just look at Starforce. not that he should make a cd protection :), but its a better protection and harder to crack.

And look like the app DVDRemake Pro how is really hard to crack.

Walxer
29th May 2005, 15:11
I code some apps in Visual C++ and I have same problems than jdobbs; after many interesting methods used [keys with xxxx number of bytes,customized encryption systems, password +encryption + key,etc...], I have got a very easy-strong method to protect my registered users from execution or distribution of my apps around;
Simply do an easy HARDWARE-dependant little encryption algorithm,the most easy possible,do some mathematical logical calculation,and put in intelligent ways the verification,the error messages,and everything...at the end encrypt your exe,compress,do some CRC control and make it difficult to debug :D
You will see that if you won't be in front of an expert hacker,your app will be very difficult cracked ;)
If you like,I can explain by pm or I can also sendi my pieces of sources about protection by email...I think is the MINIMUM that I can do,after you MAGNIFICENT piece of art of software :D

:cool:

buzzqw
29th May 2005, 15:38
hardware key isn't a good thing

I have a license, so i can install in 1 computer or in all my computer ?

I don't want a microsoft like license.

BHH

Yusaku
29th May 2005, 19:43
I would suggest following edsel's advice - leave the extension to .key (or .reg) and make it into real registry file, that way you get an intuitive "installer" of the keyfile for free. It is not a big difference to read few bytes from file than from predefined place in registry and it would IMO decrease support costs (=emails to answer).

And implementing small parser to read the data directly from the registry file (so that the current way works and users who learned it this way can continue to do so) is simple as well - just a BASE64 decoder will do it.

maksa
29th May 2005, 20:16
Jdobbs,
look @ Dimad's (DVR ReMake) way of protection. Every user has an account and it is enabled for certain program or version. When user wants to download program must enter hardware number relataed to his/hers own computer. After that he/she gets personalized version of the program that works only on that machine. If you want to download it on different machine, need to enter new hardware number. It is easy to track it. If user had downloaded program on 1 to, say 5 machines (up to you) it is OK. But if the program is downloaded from the same account more than some number, you disable this account. This way, if the account is hacked without user knowledge, illegal distribution won't be high and copies of the program only work on prticular machine. And user can get different acount (some penalty may apply) or be banned for deliberate releasal - up to you to decide.
Of course, even this could be hacked, but than again, what can be NOT (CSS? :D ), 128-bit encription, Enigma (WWII) and so...

By the way, key looks fine, but it is easy to hack, because it is transfered as file, while hardware number is machine dependent.

Just my 2c

Regards,
Maksa

Walxer
29th May 2005, 20:38
Originally posted by maksa
Jdobbs,
look @ Dimad's (DVR ReMake) way of protection. Every user has an account and it is enabled for certain program or version. When user wants to download program must enter hardware number relataed to his/hers own computer. After that he/she gets personalized version of the program that works only on that machine. If you want to download it on different machine, need to enter new hardware number. It is easy to track it. If user had downloaded program on 1 to, say 5 machines (up to you) it is OK. But if the program is downloaded from the same account more than some number, you disable this account. This way, if the account is hacked without user knowledge, illegal distribution won't be high and copies of the program only work on prticular machine. And user can get different acount (some penalty may apply) or be banned for deliberate releasal - up to you to decide.
Of course, even this could be hacked, but than again, what can be NOT (CSS? :D ), 128-bit encription, Enigma (WWII) and so...

By the way, key looks fine, but it is easy to hack, because it is transfered as file, while hardware number is machine dependent.

Just my 2c

Regards,
Maksa
I totally quote this guy.
Is what i said before,but my way is so so so much simple [as DVD-RB was born] ;)
Maybe is better for the moment not to make the whole engine so heavy :D

:cool:

aaron10
29th May 2005, 20:43
I know the Remake method has its proponents, but it did raise a lot of anguish a year or so ago when DVD95Copy went that route. Although I had no dog in the hunt, many people shunned DVD95Copy because of this protection scheme. Two of the biggest (and probably somewhat logical) argruments against it were hotly belabored for several days: (1) What if the company disappears, you won't be able to use the program on a new machine because there's no one there to issue a version tailored to it. (2) How critically does the protection scheme look at computer architecture? That is, how much and what can I change before the program decides it's not on the correct machine?

I suspect Jdobbs will remember those debates.

TECK
30th May 2005, 02:39
aaron10, I totally agree with you.
I hope jdobbs will not go down this ugly road... What if your server is down for a day?
I have few programs that I had to reactivate them, because I changed my HD. I waited a week until my new keys were provided. I was not happy at all, regreted that I purchased them and removed them from my upgrades list.