( ESNUG 314 Item 5 ) ---------------------------------------------- [3/17/99]
Subject: ( ESNUG 311 #1) Crack FLEX-lm? Go To Jail, Directly To Jail
> I hate to sound like an EDA company lackey, but please cease and desist.
> We're all engineers, whether software or hardware. Publishing articles
> like these to facilitate theft of one engineer's work by another doesn't
> seem to me like a legitimate productivity enhancer.
>
> On the other hand, since the senior execs at the EDA companies now all
> seem to read your ESNUG newsletter, perhaps publishing these security
> holes at the beginning of your column is the best way to get them patched.
>
> With that in mind, feel free to publish, withold, or edit as you see fit.
>
> - Dan Lutes
> Cirrus
From: [ The German Guy ]
John, no name please, call me [ The German Guy ] if you wish to.
When I started my business career 15 years ago, we had a similar discussion
in our (then) new start-up company.
We had a test installation of a top-notch CAE software with no security
mechanism yet, as it was beta. Based on a gentleman's agreement we were
allowed to use it for a specified period of time, and had to delete it
afterwards. Unfortunately we were not able to take advantage of all
features during that time period, and our time schedules made it unlikely
to make up for within days.
After discussions my superior decided not to "extend" that license, but to
immediately delete the software, just because it would be illegal. He
convinced the team with the argument, that you cannot control and keep the
knowledge of illegal software use for about 35 years, which an engineer's
career typically lasts.
How wise his decision was!
Now, about 15 years later many of my former colleagues work at different
companies, some at CAE software vendors, and one is even in the position to
order the generation of license keys.
Can you control the (spreading?) knowledge of former personal or company's
wrongdoing? Would one of the knowing persons forget the personal
(un)reliability concerning software licensing / license-tampering? Isn't
this even more dangerous if someone knows that you actively had "hacked" a
licensing scheme in order to save your company's money?
The (then) external and thus uncontrollable knowledge may destroy your
personal integrity even decades later -- when you may be a senior business
professional in a promising position you perhaps had never dreamed of....
I admit, that I may have a slightly different opinion on privately owned or
copied software/shareware/games. But as soon as I use software for business
("to make money with it"), I would never ever use it unlicensed or even
actively "hacked".
John, thank you for bringing up that discussion on licensing and hacking.
- [ The German Guy ]
---- ---- ---- ---- ---- ---- ----
From: Matt Christiano <matt@globes.com>
John:
I saw the discussion on ESNUG and thought that I should reply.
I'm the president of GLOBEtrotter, the company that makes FLEXlm.
FLEXlm is not intended for use as a high security product, but as a means
for helping honest customers stay honest and receive flexible licensing
terms. At the same time, governments around the world and the World
Trade Organization are making the use of hacked and cracked software a
serious crime.
I belive that it makes more sense that those who hack or use hacked software
be inconvenienced through the legal system, rather than GLOBEtrotter
inconveniencing honest end-user customers by going to extraordinary means
to add security to FLEXlm. (Here's an example: FLEXlm has the ability to
check for the system clock being set back. It's not perfect, but it works
reasonably well. While this feature has been in FLEXlm for several years,
most of my FLEXlm EDA customers do not use it because it inconveniences
their own legitimate customers because it screws up Y2K bug testing.)
Can FLEXlm be cracked? Certainly. It's software. Most importantly, our
philosophy is "keep honest users honest", in other words, we're not trying
to make a foolproof system, we're just trying to make a system which will
prevent inadvertent overuse by legitimate customers. Our belief is that
"revenue leaks" come from honest corporations who use more software than
they have purchased, but truly don't know that they are doing that. If
they knew, they would purchase the actual number of EDA licenses they are
using. Crooks aren't going to pay, no matter what protection you build
into the software -- they will find some way of being crooks -- even if the
way is to steal a different software package.
We've run into a few people like this, and when we find how they've done
it, there is usually a new version of FLEXlm out shortly which makes the
particular attack more difficult or impossible. But the world is full of
people with time on their hands, and they'll always find some new way to
crack software protection systems. So my message to them is this: if you
think you're clever because you can hack FLEXlm, you're not. If you use
the result, however, you are a criminal.
Now, on to the technical issues.
Here's the description of how to disallow access to your license servers,
even if you have access to the port numbers allowed across your firewall:
How To Set Up FLEXlm With A Firewall
------------------------------------
Most companies that are connected to the internet use a firewall for
security purposes. A firewall allows communications for only designated TCP
"ports", identified by numbers in the range 0-64000. FLEXlm uses a set of
these TCP ports, one for the lmgrd process, and one for each vendor daemon.
In order for a user outside the company's firewall to run software
controlled by a license server inside the firewall, access to these ports
must be allowed across the firewall.
The firewall administrator must know the port numbers in order to allow
access to them through the firewall.
The first port number, used by lmgrd, appears on the SERVER line in
the FLEXlm license file, e.g.,
SERVER myhost.mycompany.com 12345678 1234
^^^ ^^^ ^^^
hostname hostid port-number
If there is no port number, then it's using the "default" FLEXlm ports,
27000-27009, and access to all 10 of these ports should be allowed.
Normally, the vendor daemon port numbers are chosen by the OS at runtime,
and is different each time. However, since a firewall requires a fixed port
number, FLEXlm allows the administrator the option of fixing these port
numbers (with lmgrd v5.0 or higher). This is done by adding "port=n" (where
'n' is a number in the range 1025 to 32000) to the DAEMON or VENDOR lines
in the license, e.g.,
change: DAEMON gsi /path/to/gsi
to: DAEMON gsi /path/to/gsi port=5678
The keyword VENDOR may appear instead of DAEMON, and the number of arguments
is variable, but you can always add "port=n" to this line. This must be
done to each DAEMON line, and access to each of these port numbers must be
allowed through the firewall. Remember to use a v5+ lmgrd; we always
recommend using the latest lmgrd anyway, obtainable at www.globetrotter.com.
How To Prevent Others On The Internet From Using Your Licenses.
---------------------------------------------------------------
If your license server is available across the internet, then any user with
software that requires a license that your server has may run the software
by using your license server if they know the hostname of that server, and
the port number lmgrd is using. These may not be hard to obtain through
trial and error, and once found, may be published to other hackers.
To prevent this, we recommend using INCLUDEALL in the end-user options file.
First, if you don't already have an end-user options file, you'll need to
make one for each vendor daemon in the license file. Specify the path
to a different file for each vendor daemon, on the DAEMON (or VENDOR) line
in the license. If the license says DAEMON, you append a path, by placing
it before the port=n field:
change: DAEMON gsi /path/to/gsi port=5678
to: DAEMON gsi /path/to/gsi /path/to/gsi_options port=5678
If it says VENDOR, append:
options=optionspath
to the VENDOR line, where "optionspath" is the path to a file that you
are going to make.
Now we need to create a file in the location you've specified (or edit the
existing one), and specify the INCLUDEALL line(s).
The syntax for these lines is:
INCLUDEALL USER username
INCLUDEALL HOST hostname
INCLUDEALL INTERNET n.n.n.n (where n is a number in the
range 0-255, or '*' wildcard)
When present, only specified users, hosts or IP-addresses can use any of
the software for this vendor. Remember that these files apply only to one
vendor daemon. For example, if all the IP-addresses in your company are
in the range:
123.*.*.*
then you'd use
INCLUDEALL INTERNET 123.*.*.*
Anyone not in that ip-address range would be denied a license. If you have
several ranges in your company, you can list each of them:
INCLUDEALL INTERNET 123.*.*.*
INCLUDEALL INTERNET 124.*.*.*
INCLUDEALL INTERNET 125.*.*.*
INCLUDEALL INTERNET 126.*.*.*
A complete description of the end-user options file is contained in the
FLEXlm end-user manual, available at www.globetrotter.com/manual.htm
- Matt Christiano, President
GLOBEtrotter Software, Inc. San Jose, CA
|
|
