| Author |
 Topic  |
|
|
mickem
New Member
Sweden
5 Posts |
 Posted - Jun 02 2004 : 1:44:14 PM
|
Hi,
I have, quite a few times now, tried to register my version of VAX unsucessfully. I bought an upgrade from my previous VA. The problem I realised was that I accidentaly thought my key was for 6.0 (when infact it was for 4.1).
What happend was that I enter my VAX key, and click ok.
I get "upgrade from dialog" and I click 6
Enter my old key and click OK.
Then I end up back on the "enter VAX key" dialog. without any error, message or information what so ever.
Then just for spite I enter my "6.0" key in that dialog and it told me the key I had was for 4.1. Thus I realised my key was infact 4.1 and not 6 as I thought.
Then I did the key thing all over again (this time clicking 4.1 as oposed to 6) and it worked fine.
But to get back to the intial "bug", it would be nice if it had told me the key was for 4.1 (or atleast that the "upgrade key" was wrong.) when I tried to enter it as a 6.0 key. This especialy as my email (of my 4.1 key) never said the key I had was for 4.1 so I had no way of knowing really... The email only says "here is your key for VA... no version at all.
Anyways, if Im to confusing let me know :)
(ohh, and thanx for a kick-ass product)
and dont forget you gotta port this baby to "eclipse" so I can enjoy its sweetnees at work where Im forced to play JAVA.
// MickeM
|
|
|
LarryLeonard
Tomato Guru
USA
1041 Posts |
Posted - Jun 02 2004 : 2:24:46 PM
|
I agree, they definitely need to put the version in the e-mail (never noticed it wasn't there).
But, I think the general theory of getting passwords from users is to "leak" as little information as possible when you get bad data. The idea being, don't give a hacker any clues, such as, "You're getting close - that's the correct format for a version 'X' key!". So I'm surprised the VAX dialog box gave you any feedback at all when you entered your "4.1" key - all my password dialogs fail very silently - no hints at all.
|
 |
|
|
mickem
New Member
Sweden
5 Posts |
Posted - Jun 02 2004 : 3:50:02 PM
|
Here is where I have to disagree.
Security by Obscurity (as the offical phrase is) never has worked. And it never will... There are thousands of examples where software (and other) companies have tried it and I cant think of a single case where it worked. The most famous failure beeing ofcorce the DVD code.
To belive that the lack of "error dialogs" would somehow hinder a cracker is a useless, the "cracker" will look for jmp points, return values, function calls, etc, etc and such not "code incorrect dialogs". Yes if the dialog is there itmight save him 5 minuts of his time, and "Mr newbie: I have read one cracking tutorial" might even fail to apply his tutorial, but then again a desent key hashing algorithm would give him just as much trouble. There are better ways and simpler ways to "harden" your copy scheme. A good idea to keep crackers at bay (which VA uses) is to have a high release scedule.
I remeber from my days running wares sites that we constantly "drooped" software that had high release secedules as we didn't want to waste the bandwith.
And more importantly, a dissastisfied customer costs far more then a cracked software (and arguably software piracy generaly boost sales to a point as oposed to decrease them but thats another disussion). But again, had I not found out that my code was wrong I would have told people that "VAX" is crap as I payed money for it and never got it working.
So i would say, spend your time improving your algorithms instead of trying to make it "hard" for your paying users it pays better by far...
// MickeM |
|
|
|
LarryLeonard
Tomato Guru
USA
1041 Posts |
Posted - Jun 02 2004 : 4:38:52 PM
|
Okay, I'll argue...
As usual, "It depends". Yes, yes, I know, "Security by Obscurity" is the whipping-boy du jour. But sometimes "Security by Obscurity" is good enough. It depends on what you're trying to secure, and from whom, and for how long, among other things. Saying it has "never" worked is silly: it works great where appropriate. When implemented by pinheads in the wrong situation... well, what usually happens when pinheads are involved?
In other words, we need to avoid words like "always" and "never", and instead think about what we're trying to accomplish, and how best to do that.
Also, I stand by my point that the less information is leaked, the better. I did not say it was sufficient. It certainly wouldn't foil a determined hacker, but it would "keep honest people honest", as the saying goes.
And since VAX's market is software developers, probably they can hope for a little more sophistication behind the keyboard than usual...
|
|
|
|
Uniwares
Tomato Guru
Portugal
2321 Posts |
Posted - Jun 02 2004 : 6:00:18 PM
|
quote:
Originally posted by LarryLeonard
And since VAX's market is software developers, probably they can hope for a little more sophistication behind the keyboard than usual...
Ha. |
|
|
| |
Topic |
|
|
|
Topic Locked
