4

Apologies if this is not the right place to ask this question, I will happily move it to another Stack Exchange site if need be.

Before I explain the rationale behind the question, let me clear up a few things first.

  1. I enjoy cracking software, for my own educational purposes.
  2. I do not participate or work for any cracking group.
  3. I never release or publicize any cracks/keygens and do not use them for personal gain.
  4. I attempt to protect my own software better based on flaws I discover in other people's software.
  5. I am a software vendor myself and would hate for my work to be pirated, so I gladly pay for licenses and would appreciate if anyone ever approached me and pointed out flaws in my software.

With that out of the way, my question is, if I am able to successfully crack a piece of software (games, components, etc.) should I notify the vendor that their software is vulnerable, or just keep it to myself?

I have notified a few people/companies (usually small time developers) in the past of which all appreciated the feedback and subsequently strengthened their license checking as a result. Should I be doing this on a regular basis or can I get into serious trouble for even attempting to reverse engineer something? I don't charge or try blackmail people either, totally above board with full disclosure.

My own EULA states "Redistribution of source code is strictly prohibited by means of reverse engineering or otherwise" which clearly highlights redistribution, not personal gain or even self improvement (no idea, I'm not a lawyer).

This moral dilemma has bugged me for quite sometime and I would love to report back to vendors so that they can avoid being compromised. Not sure if everyone will be forthcoming about it and may even be offended.

AviD
  • 72,138
  • 22
  • 136
  • 218
BrutalDev
  • 202
  • 2
  • 9
  • 2
    I'd do it anonymously. Some people react in strange ways when confronted with flaws, and take it personally. There are examples where similar unsolicited constructive criticism actually backfired. – Yolanda Ruiz Feb 22 '14 at 22:07
  • @YolandaRuiz: Reporting anonymously is good, but trying to hide your identity creates suspicion which could backfire in itself. It seems like being a good Samaritan is just too risky :( – BrutalDev Feb 22 '14 at 22:43
  • 1
    Many EULAs prohibit reverse engineering altogether. By telling them that you cracked their software, you're already at risk of a potential Breach of Contract suit... –  Feb 22 '14 at 23:18
  • What benefit would they get from your report? Anti-cracking systems are never perfect, and they already know that. Sure they could add some sticky tape which would stop the particular crack you created. But you could then just make your crack a bit smarter and it would work again. – paj28 Feb 23 '14 at 08:16
  • @paj28: I would get no benefit from reporting it other than trying to help fellow software developers from potentially getting ripped off or losing sales due to piracy. Sure it will never be perfect but there are often small steps that can be taken to make it *significantly* more difficult to circumvent. The unfortunate reality is that you'll never be able to stop crackers altogether, but if the effort outweighs the cost then you've largely won the battle. A lot of time I wonder why the software isn't just free because it's far too easy crack. – BrutalDev Feb 23 '14 at 11:49
  • @BrutalDev - will it really make a difference? If someone with your skills (but not your ethics) distributes a crack then it becomes very easy for anyone to just download and use that. Can vendors realistically increase the difficulty to the point that no-one will produce a crack? – paj28 Feb 23 '14 at 12:22
  • @paj28: I think it definitely helps mitigate it but will never prevent it (I hope so for my own sake). But you're right, once a crack becomes available then it really doesn't matter how hard you've tried to keep people out. If you have the energy you can constantly make alterations and detect cracks so that each version becomes that much more difficult to circumvent. For a $20 app it's not worth the time, but for a $10000 app that is more than likely quite targeted, I would try an make the effort. – BrutalDev Feb 23 '14 at 15:47

5 Answers5

2

All software vendors know their software can, and always will be cracked. Software has been cracked for as long as there's been licensing or copy protection. Cracking groups go back to the 1980s, and copy protection schemes went as far as punching physical holes in a specific sector in floppy disks. That sector could never be written to on the original disk, and so if it an attempt was made to write to it, and it worked, you knew the software had been copied. This was cracked, and the software copied and distributed across the country on BBSs. Every software protection and licensing scheme that's been tried has been cracked. Software licensing isn't meant to be 100% secure, it's meant to keep honest people honest. That's it.

Should you tell them? If you care about the software in question and want it to improve more, probably not. Either one of two things will happen. The vendor will (quite rightfully) ignore it. Or someone at the company will have the idea that the protection needs to be "fixed" because someone has defeated it. Needless effort will then be expended to create yet-another-protection-scheme, and the cycle will continue.

Either way, you're either wasting your own time reporting it, or the software developers time in "fixing" the cracked software.

By all means keep cracking software. It's an interesting game to play, and many have enjoyed jumping the fence just for the challenge. But don't be under any illusions that you've found some critical flaw, that if someone just fixes, it'll be unbreakable again.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • Thanks @Steve, I totally agree with you, the more resources spent trying to protect the software prevents those resources from being used to add new features or fix bugs. In many cases I don't think it's a complete waste of time and I'll refer back to a comment of mine above "it will never be perfect but there are often small steps that can be taken to make it significantly more difficult to circumvent". If it's far to easy to bypass then I guess most people would simply not pay because of the cost to effort ratio is so low. You can't make it unbreakable, but you can make it really tough. – BrutalDev Feb 11 '15 at 08:17
1

I guess it all depends on which company it is.

But as an answer, I would recommend not to notify. Because if the company decides to sue, you're going to lose so much time and effort for nothing. And even if this has a low chance to happen, particularly with smaller companies, the risk balance is still very bad.

I have been in the same case as you, and never notified. And I'm happy with this decision 10 years later.

ack__
  • 2,728
  • 14
  • 25
1

You are ethically obliged to report it, but for your own protection you should do it anonymously.

There are some companies which welcome people for pointing out security flaws in their products. Some even have public bug bounty programs where they financially reward people for doing so.

But unfortunately not all companies have that stance.

There are also companies, usually lead by less tech-savy managers, who have a completely different mindset. They believe that when they get hacked, it's not their own fault, it's the hackers fault. So they shoot the messenger. There are incidents of companies prosecuting white-hat hackers and even their own employees for computer sabotage and espionage, even when they didn't do any damage whatsoever and only had the best intentions.

To be save from such prosecution, make sure that you:

  • Report the problem anonymously
  • Do not be condescending
  • Point out that you didn't do any damage
  • Point out that you didn't expose the vulnerability to a 3rd party and that you do not intend to do so.
  • Try not to sound too alarmist, so your message can not be mistaken for a threat or extortion attempt.
Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 1
    Thanks, I think this is probably the most sound advice although @ack__ is probably the safest. It's a slippery slope and one should not jeopardize their own well being in an attempt to do a good thing. The points are well put, arrogance too will usually come across as a threat. – BrutalDev Feb 23 '14 at 15:37
1

If you break into software that I have written then I would much rather be the first to know rather than the last .. Hell if you tell me how you did it and it was creative enough I might even speak with my employers into paying you as a consultant . As long as it was done for non malicious reasons I'm ok with that.

But if you break into a system that I run , maintain or have built and cause damage to it, or use it for other means ( such as launching aws instances that cost me money or use it as part of a bot net, steal my users data, damage the database, stop processes that need to run etc ) then I have a special set of skills, I will find you, I will hunt you down.

Damian Nikodem
  • 769
  • 4
  • 8
-1

You should always report it. Use anonymous means.

You hacked into a system and most likely left a log trail. If someone detects tries to analyse the breach, they will spend resources that they otherwise wouldn't. This is a waste of resources and it economically hurts everyone.

What if you don't report your white-hat breach and then a black-hat breaches and releases private information, hurting people and businesses? Society has lost again. Waste.

I think that if you can spend several hours hacking a system, you can spend 5 minutes telling the owners of what is wrong with their system. You are competent enough to do it anonymously to mitigate against any potential retaliation.

Don't allow your selfish desires to needlessly hurt others.

Matrix
  • 3,988
  • 14
  • 25