( ESNUG 328 Item 1 ) ----------------------------------------------- [9/9/99]
Subject: ( ESNUG 327 #1 ) 13 Of 104 Replies To "Flex-LM Cracked" Story
> But this crack is different. It's a FULL crack. It's not a trick to use
> when you're on a project and your licenses *just* ran out and you need
> something just to get two more weeks, TWO MORE WEEKS! (Hey, I've been
> there before. I *know* what that hot seat is like.) This crack is
> different. It's a *full*, in-your-face, no-possible-redeeming-value,
> no-grey-areas, we're-just-gunna-steal-this-software crack...
>
> And my screwy sense of ethics won't let me support something like this.
>
> - John Cooley
> the ESNUG guy
From: Matt Christiano <matt@globes.com>
John,
From the "Electronic News" website, I see you received over 48 emails on
Friday, after item #1 in Post 327. That's good. :)
What do you think the hackers of the world want? Money? Not likely. Fame?
You betcha. They want nothing more than to have guys like you writing
articles about them.
The good news is, however, you didn't disclose the web site, and will only
give it to honest EDA companies. And I guess we can all rest assured
that none of the people who might want to steal this software, but hadn't
realized that someone had hacked it, know how to use a search engine --
that will keep us safe. :)
John - what were you thinking?
For matters like computer viruses and other items that affect the security
of the public, news reports benefit the public in general, as there are
measures for the public to take to protect themselves to minimize the
damage. At the same time these stories provide encouragement to the virus
developers. One can reasonably argue that the benefits the public receives
by publishing these stories overrules the damage caused by encouraging
further virus development.
I don't see how publishing a story like this helps the public, as they are
not damaged by the problem. Publishing the story just to EDA vendors may
have some merit especially if one believed that GLOBEtrotter would not
respond in a more private conversation. However, if you had called us,
we would have told you that we have already fixed this hole -- in 1996, by
the way, and made it the default in FLEXlm in 1998, but that there are
lead-times for our customers to get these fixes into their production
releases.
So the net result of publishing the story is:
- hackers are encouraged to do more of this because of the attention,
- some dishonest users will find the hack on the net who might not
have otherwise and "steal" EDA software which they probably wouldn't
pay for anyway,
- some of these users will get into trouble w/ their companies or the law,
- you and I will have to answer an avalanche of email and phone calls, AND
- some EDA vendors may "crank-up" the security in ways that will
inconvenience honest users (ie, you and your readers).
I don't see the public benefit. I don't see the benefit for EDA vendors.I
certainly don't see the benefit for you, unless you like the deluge of
email. And most of all, I don't see any benefit for your users. I don't
know who, but I'd be willing to bet that some EDA vendor is now going to
lock down security in a way that is going to severely inconvenience you and
your readers.
If you honestly believe that publishing a hacker story benefits the public,
you should publish it. If you believe that doing so on balance harms the
public or encourage others to harm the public -- you should refrain from
publishing as a matter of personal integrity -- as I believe you would. But
please, please, think of the "law of unintended consequences" when you
publish something like this.
- Matt Christiano, CEO
GLOBEtrotter Software, Inc. San Jose, CA
---- ---- ---- ---- ---- ---- ----
From: [ Name Deleted ]
John,
After talking with you on the phone about this, I downloaded the Flex-LM
cracker software from that URL and ran it on a isolated PC. It successfully
cracked Flex-LM 5.12 all the way to the Flex-LM 6.1F version. It didn't
crack the new (released this week) Flex-LM 7.0C version. The EDA vendors
who read ESNUG should be interested in this news.
- [ Name Deleted ]
[ Editor's Note: On Wednesday, Sept. 8, the http offering the Flex-LM
cracking tool completely removed the Flex-LM cracking tool and any
mention of it. I've done multiple web searches for the specific name
of this tool and found it nowhere on the net. This Flex-LM cracker had
been freely available on that site for 4 weeks (since August 6th.) What
caused it to go & whether it's permanently gone, I don't know. - John ]
---- ---- ---- ---- ---- ---- ----
From: "Richard O. Jones" <richard@simucad.com>
Hello John,
Thank you for publicizing the FLEXlm security problem. Your warning came
just in time for Simucad. We were about to ship a new release of Silos III
and HyperFault tools using Globetrotter's version 6.0.
Based upon your article and after talking with you on the phone about the
exact technical details of how this Flex_LM cracking tool works, we
consigned the freshly minted CDs to the trash. As you can imagine, this
cost us a considerable amount in time and materials. We are now in the
process of creating a new version of our software using the latest version
of FLEXlm.
The remaining problem, from Simucad's point of view, is that all previous
versions of our software have been compromised. Quite clearly, no
retro-active fix is possible.
Thanks for the timely warning!
- Richard O. Jones, VP Sales
Simucad, Inc.
---- ---- ---- ---- ---- ---- ----
From: [ Name Deleted ]
Hi John,
Yes, I am an EDA vendor but, no I don't want to know the sight. It just so
happens that I was in Japan last week, and had meetings with several other
EDA vendors and this is well known to them already. If there are any EDA
vendors that don't know about this, then they are not paying attention. It
appears a lot of pirated software is being sold this way in China and some
of the pacific rim countries.
I read your Posts all the time but I have never replied until now.
Keep up the good work.
- [ Name Deleted ]
---- ---- ---- ---- ---- ---- ----
From: [ Named Deleted ]
Hi John:
Attached is a copy of what I encountered on the DejaNews web site back in
May. It did have a license file attached which did contain a legitimate
license for "ANY" hostid. By tracing it back, I found that it originated
from a university demo license and that the encryption key was brute forced
by incrementally counting from "00000000000000000000" until the one of the
applications "accepted" the key as legitimate.
It probably cost a good deal of CPU cycles, but when you are a university
student with nothing better to do... well, you get the picture. Anyway by
tracing the originator of the email, I found that it originated from a
machine at Tsinghua University in Beijing, China.
Odd mix of American slang and anti-American rhetoric concerning the NATO
bombing of the Chinese Embassy in Belgrade.
Accident occured - [ EDA Product Deleted ] was cracked throughly
Disclaimer
This's a accidental crk releasing coz I mis-pressed the post button,
which is the same accident as the 'accidental' missile attack on the
embassy of China in Belgrade. This accident also happened for the
[ EDA Company Name Deleted ] headquarters locates in the United States.
I don't wanna the same thing happen another time..
Pls do not ask me Q for how to get the software. Cut the contents & save
it as license.dat. Read the online document came with the software for
how to use this shit license. If there're any losts caused to [ EDA
Company Name Deleted ] by this crk, pls ask NATO, the godamned
Neo-nazism on earth, for ur compensation.
Anyway, it was interesting. I had DejaNews remove this crack from their
archives.
- [ Name Deleted ]
---- ---- ---- ---- ---- ---- ----
From: [ Name Deleted ]
John,
Don't reply directly, this is my home email, reply to [ Address Deleted ].
I work for Mentor Graphics, and actually ran across a similar thing on UNIX
about two years ago. Apparently though, it looked like some disgruntled
ex-employee pilfered some key generating software, and sold it. It could
only access Mentor owned products (ie Mentor, Exemplar, Modelsim). They
were so bold they still sent me codes, after searching the web and finding
my other email as mentor.com, and asking me if I worked for Mentor.
A few weeks later the same 'ethical' customer, told me they got another
one for Synopsys. Our legal dept tried chasing them down, but don't
know the results since one e-mail trace ended some where in Romania, and
the other in the South Pacific, where extradition and such have little
meaning in the software biz. Haven't heard from anyone seeing these
codes in about a year and a half, so I guess we found them, or there are
more ethical customers out there than not. Being, the optimist, I
believe ethical customers have shut them down.
- [ Named Deleted ]
---- ---- ---- ---- ---- ---- ----
From: Pallab Chatterjee <pdec@earthlink.net>
John:
Congrats on your position on FlexLM and the latest of many "crackers" fora
license manager. On occassion, I've had to play a few of the "stretch our
current license" games myself in the course of meeting a schedule that
happens to correspond with a holiday weekend -- but I disagree strongly with
the semi guys and consultants who try to operate their business off of
borrowed and/or stolen software. There is a price to pay to be in business;
not being able to afford software is means you can't play in the big
leagues; and if you feel that engaging in illegal activities is the only way
to be on the same playing field as the rest of the people -- means you don't
deserve to be there to begin with.
Please feel free to publish this as you see fit. I just thought it was
important for someone to show that they support your position on playing a
deal fairly.
- Pallab Chatterjee, Vice-President
P&D Engineering Consultants, Inc. Livermore, CA
---- ---- ---- ---- ---- ---- ----
From: "Rob Dekker" <robd@gowebway.com>
Hi John,
This FlexLM crack really worries me.
I am bringing out a verification tool at the end of the year. I was
planning to put FLEX-LM in there for licensing. But if the security hole
that you mention is real, I might have to find another solution. At least
for NT.
I do appreciate it that you do not send the URL to everyone, thereby giving
Globetrotter and EDA vendors a chance to correct the problem.
I don't want to rely on Globetrotter to tell me that everything is alright.
Could you please mail me the URL, so I can check for myself what the risk
is that I am taking by incorporating FLEX-LM into by verification tool ?
- Rob Dekker
(an ex-Exemplar guy)
---- ---- ---- ---- ---- ---- ----
From: [ Name Deleted ]
Is this [ Deleted ]'s site at [ Http Deleted ]? I have a bet riding on this
and that site gives a step-by-step recipe for cracking Flex. It's not a
download like you describe. It's a cracking tutorial instead. Is this your
site, John?
- [ Name Deleted ]
---- ---- ---- ---- ---- ---- ----
From: Brian Turmelle <bturmelle@INTELLITECH.COM>
John,
Being the security buff here at Intellitech I would like to make sure this
technique does NOT work on our keys. I am glad I have been persistent in
not allowing full versions of our software to be downloaded.
- Brian Turmelle
Intellitech Corporation Durham, NH
---- ---- ---- ---- ---- ---- ----
From: Rob Genco <rgenco@synopsys.com>
Dear John,
I want to thank you on behalf of the EDA industry for your handling of the
situation and condemning of these hackers. It's good to know that others
share our concern about this type of crime. I think everyone that could
be affected by this owes you a debt of gratitude.
- Rob Genco, Director of Software Operations
Synopsys, Inc.
---- ---- ---- ---- ---- ---- ----
From: David Chapman <dchapman@aimnet.com>
Well, I'm not a verifiable EDA company yet, so there's no point in sending
the HTTP, and my software doesn't run under Windows NT (yet) anyway, but I
was planning on using Flex-LM for running my software under Windows 98 on
a laptop (!) as a demo. So, my question is: has Flex-LM been compromised
under Windows 98 too? Is GlobeTrotter Software likely to give me a straight
answer on this (or the NT problem, if/when I compile my software for it)?
Is GlobeTrotter working on a solution, or are they stuck with the problem
until Microsoft releases another service pack?
Thank you for telling us about this problem. Now if only we could hang
those hackers by their thumbs... (Or should I blame Microsoft for releasing
such a lame-brained excuse for an OS?)
- David Chapman Santa Clara, CA
---- ---- ---- ---- ---- ---- ----
From: [ Name Deleted ]
John,
Here is the email from the VP of marketing at Globetrotter. It's full of
legal threats about cracking Flex and it starts and ends with a "please
sign up for the EC4S class next week." They want $400 for the class.
Those marketing guys are shameless!
- [ Name Deleted ]
|
|
