Internal security of Rev? Hardware for storing passphrases or keys?

Chipp Walters chipp at chipp.com
Tue Jul 18 02:37:20 EDT 2006


John,

Adding a dongle to your product is something which should be run by
marketing as well. There are many companies who don't like having dongles on
software and it can represent a significant barrier to sales.

Perhaps I'm not understanding you correctly, but as I read this, you want to
burden your users with a dongle, because you don't want to learn a bit of
PHP? I think if you consider using a 3-tier approach, you would find it is
more secure, and more extensible as well. If you are ever inclined to
provide a web browser interface for your product, having the middle-tier
already built in PHP can be a huge benefit.

Furthermore, having the database login info on your server makes it MUCH
MORE DIFFICULT for someone to crack it, because they have to have access to
your server. Putting the code in a dongle, or any client app makes it
available at all times to any hacker.

Finally, if I really HAD to embed a user/pass into a stack, I could store it
with using my own encoding scheme in an already password protected stack as
part of a script which I would not use. Because all scripts are encrypted,
then I would have the benefit of double protection in a place difficult to
find (some script).

Of course, I imagine if someone takes the time to crack it, then they could
also crack a USB key without much more trouble. In fact, somewhere in your
code, you'll need to define a global or function which 'checks the serial'
and if someone can hack your stack, then they can overide that function as
well.

As many others have already said, I would spend my time adding some decent
copy protection, and then work on features which help sell my product.

best,
Chipp



More information about the use-livecode mailing list