Software Watermarking

[Shub-Nigurrath]

Have you ever heard of this?
It's an interesting issue, for those of you interested in theory.

hxxp://web.engr.oregonstate.edu/~vandyke/html/ssap.html

hxxp://www.acm.org/crossroads/xrds10-3/watermarking.html

Thanks I serching this information ;-)

Watermarking has been around for some time. IDA has used it for many years. It's only real effect is to punish the original, legitimate owner, who either gave away his copy of the software or, more likely, left his computer unattended and unintentionally allowed someone to download it.

If the IDA model is any indication, watermarking as a protection scheme is a failure. They are very selective of the people they will sell to, usually government agencies or companies they know something about. They do not generally sell to individuals. Yet whenever a new version is released, it quickly makes it's way into the 'public domain' within a few weeks. The ftp of this forum is a good example.

In practice, I doubt that DataRescue can do very much to punish the offender. They can hardly threaten to stop selling to large customers. That would really cut into profits. All they can really do is hope that the threat of punishment will deter people.

[gabri3l]

A good article i read on watermarking can be found at hxxp://www.cs.arizona.edu/~collberg/Research/Publications/CollbergThomborson99a/

[Shub-Nigurrath]

Humm
the arguments you're proposing are effectively true (also because proven by facts ) newertheless the WM of SW is interesting more for avoiding escapes of intellectual properties (under the form of algorithms or code peices). The most interesting application, isn't in avoiding piracy, but in avoiding stoling of algorithms or similar..

Anyway it's an interesting argument..despite encryption or easter eggs, the most interesting approach is the one using excecution paths to store informations or the dynamics approaches that store information inside the memory or the stack..

Another interesting thing is the classic steganographic (hide text into a text) approach in the source code ..

just for discussion..

Yes, I agree that the dynamic approach is by far the most interesting approach. But I still think, overall, that any watermarking is weak, even if we are only discussing the protection of an algorithm.

Suppose I have a great algorithm that I do not want some other company to steal. I embed some sort of dynamic watermark inside that would be extremely difficult to detect. Now my algorithm is protected, at least I can sue the company that steals it. But that is only true if the thief is lazy and just rips the algorithm from my code and drops it into hisr software. If the thief is careful, he will reconstruct my algorithm, rearrange some of the variables or procedures, make it a little more or a little less efficient, etc., and destroy my watermark.

The strongest technique to protect key pieces of code that I know of, is to encrypt those sections of the program. A popular piece of software that uses this method is Elcomsoft password crackers. The idea that they use is very good, but their implementation is very poor.

[Shub-Nigurrath]

Humm,
about IDA I think that their protection is more a façade, just to safe theyrselves from blaming on piracy. Their tool is so powerful that should be sold only to accredited institutions..this is the common consideration of anti piracy coailitions. Moreover having the name of the buyer embedded into the program ensures an additional hand in protecting the program: which institution would see its name spread around?

After all I beieve that also they knows how technically weak is their protection.

If I was a technical manager at datarescue I would have done the same..

Yes, that is possible. Numega did the same thing with SoftIce. They made it ridiculously easy to bypass the protection. Many thought they did this so they could claim they were not supporting piracy but making it easy enough for SI to be widely used. Then when someone needed a debugger for legitimate reasons they would think of SI and purchase it.

The one difference is that Compuware, (Numega), will sell to anyone and DataRescue will not. It may be that they are one of the few companies smart enough to realize that no software can be completely protected. So instead of spending their time and effort at the impossible task of trying to make their program crackproof, they put their efforts towards making a better product.