Topic: lisp security

[Ron Heigh]

I've been asked to research some security options for our custom lisp routines.
I'm going to compile all the routines, but I need to include a routine that checks for the correct security code in the support path.
If the security code isn't valid, the lisp routines will not run.
Has anybody done this before?  Anybody interested?

[Mark]

Sounds like fun, what about using a registry key?

[Ron Heigh]

A registry key to hold the begin date and the number of days to remain active would be great.  Obviously, this data would need to be hashed from within the routine so it can't be registry hacked.  If the program was compiled as well, I could call it from the start of my compiled routines.
Email me to discuss your fees.

[Craig]

Hey hey Ron, whats up man? How's that company web site coming along. Did you guys find a host plus fix your forms?  

[Ron Heigh]

Hey Craig, great to hear from you.
The company site is running good.  I fixed the form myself.
After getting a few quotes for hosting, they decided to stay where they were.
Turns out, the price they were paying wasn't too bad.
Things a pretty busy around here.  Big jobs with tight schedules.

[SMadsen]

The only "security" I ever did was setting expiration dates on some VLX demo previews sent to clients. I got the orders so apparently it worked

I think the criteria for security have to be considered very carefully. What kind of security code did you have in mind? When is a user allowed to run the lisp routines and when is (s)he not allowed? Is it based on profiles, passwords or a key in file or registry? If the latter then keys can be copied and a checksum verification should perhaps be used.
Are all your routines to be compiled into a single file or multiple files?

[Ron Heigh]

I'm going to be using a registry key that expires the software every month.
If I don't update the network, it won't work.
Call it, Job Security.
Now they can never fire me. lol

[JohnK]

Or they fire you for industrial sabotage. ...Or whatever they want to call it.

[Ron Heigh]

I sure hope not.
They've asked me to do it.

[JohnK]

Why do they want to "Lock 'em down"? Are they worried about Prop. rights or something?

[Ron Heigh]

I've written too much software for these guys to have it just laying around anymore.

[JohnK]

I guess i dont get it, but thats cool. ...Whatever they want i guess.  

I wouldnt put it in the reg. I would create a  file in the acad dir (With a small app of course) and give it a special line in the file.  Every time your app runs, if the file dosent exist, dont run.  Besides, your avg, cracker is gonna look in the reg. first anyway.

[ELOQUINTET]

yeah i could write it for you here's a start :

(Dan -full access)))

how's it look  

dan

[Mark]

>cracker is gonna look in the reg. first anyway
Maybe a "cracker" but is the CAD user going to? How will they know the program writes to the reg. Unless you know what you are doing and know of the right software to use you may or may not find the correct key, let alone the correct value. I would opt for some special file if autolisp were able to write to binary. Guess we could always write a small C++ app to handle that part.

[JohnK]

Just write a crap load of "^@" symbols to the file and add some text to it. Give it a goofy extension. (Thats what i would do.)

VB can write binary. (But Cpp is cooler.)

[Ron Heigh]

I would be more interested in a program that had an encryption algorithim included in the source.
This would stop all users who didn't know how to "crack".

[JohnK]

You got one! (The VL IDE) I think your taking this to the extreme. If i wanted your programs that bad Ron, I would write my own. As Mark said, the avg. user isnt even gonna check the Reg. so what makes you think that ... whatever.

[Craig]

Ron, just as se7en said, I would probably just place a security file within the Autocad folder and give it an extension that doesn't stand out, you know like acad.mpi or ddvpls.tbl. Then incoporate your security into this file. Make it read every 5th or 6th character on until it gets all the characters it needs to fulfill the criteria needed. As everyone else has stated, your average CAD user won't have a clue what to look for.

[JohnK]

Im sorry Ron, but i just think your being WAY to paranoid.

[ELOQUINTET]

i don't have a clue so it seems to work    

dan

[Craig]

Ron I'll tell you, the one who should be paranoid is Se7en because in two weeks he's going to be on Minnesota nightly news covering his face with his coat because he destroyed his employers computer system and went and shot everyone at Intellicad

[ELOQUINTET]

yeah most cad users can't even spell encryption algorithim much less know what the hell it is... like me copy paste hehehe

dan

[Ron Heigh]

Your suggestions won't work in our case.  We need to be able to give our routines to subs and have them expire every month.  I want a nag box to popup and stop all routines until the correct code is entered.  Just placing the code in a file is less work that using the registry though, good suggestion.  We can send the file to the user every month until their contract ends.  It would still need to be undeciferable though.  Some of our subs have programmers of their own who could crack it.

[SMadsen]

Don't think the weakest link will be the encryption method, but how to recognize which routines to block and how to block them.
Are you going to implement a call to a main check routine within each of your routines?

[Ron Heigh]

We have 2 major programs we are concerned with.
Each of these programs will make a call to the security routine everytime they are used.
A past employer had a similar setup that actually overwrote all *.lsp files in the support path if they expired.

[Keith�]

You counld include the API for a demo and send a VB file with it. I will look up more info on that later.

[JohnK]

Undeciferable is the easy part. Make everything in there useless! Make it a garbage holder with a small key that you look for. -e.g. Find your name in this garbage.

^AL�!This program cannot be run in DOS mode.^@^ MZ� @^@%^^@%^^@%^^@%^^@%^^@%^^@%^MZ� ��l^D^@^@���^D^@f�=Ԕ�^@^@tS�E ��h^a^@^@��tFS�."/^@�M ���
^@^@�B^D��@^D^@^@��tE���D^@_^][�^D^@�������������A SV WP�U�|�^@P�a�Q^@�����0�Q^@��j^@��2�蕍Q^@;�t^^�N ���^@%^^@%^^@%^^@^@j^@Qh"^^@^@R�U�|�^@_^�^A[�_
��^[��������������d�^@^@^@j�h�+�^@Pd�%^@^@^@��tSV��
3�W9�(^A5t��^@^^@8�Z^C^@^@��^@^@j[�U�|�^@�ĀO��^@^
@�D$TP�U�|�^@�V �L$QR�t{�^@�N �D$
PQ�\$ �\$�<{^@%^^@%^^@%^�^@�D$(�L$ �|$ �T$+��L$$+ϋ|$
�ωT$0�T$�D$8�D$ �L$4R�L$0PQ�|$8��{�^@��t
ƆY^@%^^@%^^@%^^@^@^A� � ^a^@^@��Y^@%^^@%^^@%^^@^@����^@f ��^@^@V�L$Tf��I^@%^^@%^^@%^�^@��^D^@�
T��^@��$�^@^@;�t�^AV�PlU�-H��^@3�;�~T�
D��^@V�. 526f 6e20 4865 6967 680d 0a
���Rl^@%^^@%^^@%^G;�|�V�L$D蜌Q^@���^@^@Ƅ$�^@ ^@^@ ^A:^@%^^@%^^@%^^@%^^@%^^@%^^

[rugaroo]

Ron -

I have a program that will do what you would like...I can't remember how much I paid or where, but I will look when I get home tonight... It encrypts the lisp file that you want in to an 'AutoCAD Protected File'... If you want it, let me know, and you can at least try it out and see how well it actually works.

Rug

[Keith�]

AutoCAD protected Lisp files are not secure and can be easily unprotected. That is why the VLIDE compiler is so good. It compiles the lisp, and vlisp into machine code and gives it a .vlx extension.