serial number (activation code)

[Jon Skeet [C# MVP]]

I don't. He clearly says "It is mostly true that the MAC address is
unique among default, manufacturer-assigned MAC addresses." Insisting on
"mostly true" when he knows darn well it is true. He's splitting hairs
here just to argue with me.

I really don't think so. I think the "mostly" is to cover vendor
mistakes.

But there is that denial, and of the standard itself. Venture what you'd
like; it's a free Internet!

Again, I see no such denial. I think we'll have to agree to disagree
about this.

No, it wouldn't. That's like saying it would be foolish to follow the
standard when dealing with these addresses. There must be many standards
that are misapplied, yet what they say can still be used. If a problem
with a particular implementation is encountered it can be worked-around,
especially in this specific case of built-in MAC addresses.

There's a difference between working round a problem and believing that
such a problem doesn't (or can't) exist.

Sure you can! You're losing me.

The *reported* address can be set by the user, therefore it shouldn't
be trusted. I thought *that* bit was agreed on...

Yes, I do. I may easily be wrong.

Do you really think that resetting a customer's networking settings is
realistic as a viable way to do things? People kick up a fair amount of
fuss about installers requiring a reboot - but resetting network
settings is a whole different league, IMO.

"That is _not_ the standard for MAC address as they are used in
networks." Wrong.

He's making the distinction between MAC addresses which are used in
real life and the MAC addresses which are built into the hardware. I
think that's a very valid distinction to make, given that users can
change the MAC addresses that are used. What's controversial about
that?

We disagree on the meaning of non-negligible, I think.
Possibly.


No, I think that would work fine. Supposedly it does, anyway.

If any installer tries to screw around with my network settings, it
certainly doesn't count as "working fine" in my view.

Yes, it works; it is used by products.

Just because it's used doesn't mean it works though. ROT-13 can be
*used* as an "encryption" mechanism, but it doesn't *work* as an
encryption mechanism. It's not a viable, feasible, workable encryption
scheme. If a product shipped using it, that wouldn't make it any more
secure as a scheme.

That's your definition of licensing scheme (and isn't a bad one).
Because a product ships with a "MAC address licensing scheme" that may
(or may not) let MAC addresses be spoofed does not mean it isn't a
legitimate licensing scheme. I would say that there is no licensing
scheme that is 100% accurate nor 100% secure. A product company may
decide that this hole may be perfectly acceptable for their needs.

This is what makes such a licensing scheme workable.

I think it depends on the amount of difficulty involved in cracking it.
If it takes 5 minutes without having to install any extra drivers etc,
that's pretty unworkable in my view - and that's what I suspect the
case is for most if not all such licensing schemes, unless they commit
the cardinal sin of tampering with my network settings. At that point
they may be more secure, but I suspect not 100%. The cost is too high
though, IMO.

Now, as with most holes, I suspect that it's not the case that
companies deem such a hole as acceptable so much as that they don't
understand the hole to start with.

Well, we agree on that. I don't like any of those schemes either,
including the one-time validation ones. All of them are relatively easy
to crack.

There are pros and cons. At least there isn't usually too much pain for
legitimate owners, however - no network settings tampering, for example

I don't see how it can be denied that it is a workable technique, but
whatever. I never claimed, nor would I ever claim, it is a perfect
solution. But I would say it is perfectly acceptable for the needs of
some companies.

I would be interested to see what those companies would say if a
5-minute zero-expertise (beyond reading a web page) crack were to be
presented to them. Of course, without trying out one of these products
(and knowing a valid licence key for a given MAC address) it's hard to
show that - but I have strong suspicions that their products aren't as
safe as they expect them to be. When a risk is accepted unknowingly it
shouldn't count as making the scheme involved "workable" IMO.

Which is why they can define how bullet-proof or not bullet-proof their
licensing scheme is.

Only if they understand the weaknesses of such a scheme.

You make an excellent proxy for Peter, BTW.

I just got fed up with the situation where I couldn't see that much
disagreement on what you actually believed, just on the words being
used.

 

[G.Doten]

I really don't think so. I think the "mostly" is to cover vendor
mistakes.

I don't, but that's OK.

Again, I see no such denial. I think we'll have to agree to disagree
about this.

Makes sense to me. Plus, I don't want to repost everything he wrote.

There's a difference between working round a problem and believing that
such a problem doesn't (or can't) exist.

That's true.

The *reported* address can be set by the user, therefore it shouldn't
be trusted. I thought *that* bit was agreed on...

I meant the reported built-in MAC, not the potentially change addresses
allowed by some NICs.

Do you really think that resetting a customer's networking settings is
realistic as a viable way to do things? People kick up a fair amount of
fuss about installers requiring a reboot - but resetting network
settings is a whole different league, IMO.

I think it is rather simple to get at the built-in MAC address for any
device that has them, without reconfiguring a system. Assuming, of
course, that what you pointed out isn't the case (i.e., that the
built-in MAC is always available and can't be hidden or otherwise wiped
out by firmware or whatever).

He's making the distinction between MAC addresses which are used in
real life and the MAC addresses which are built into the hardware. I
think that's a very valid distinction to make, given that users can
change the MAC addresses that are used. What's controversial about
that?

Because it *is* the standard for MAC addresses as they are used in a
network.

If any installer tries to screw around with my network settings, it
certainly doesn't count as "working fine" in my view.

Won't argue with that.

Just because it's used doesn't mean it works though. ROT-13 can be
*used* as an "encryption" mechanism, but it doesn't *work* as an
encryption mechanism. It's not a viable, feasible, workable encryption
scheme. If a product shipped using it, that wouldn't make it any more
secure as a scheme.

But it does work, in this case. Does it necessarily fit your definition
of what a licensing scheme should achieve? Maybe not. But that's not the
point. The fact is products do use it, whether you want them to or not.

I think it depends on the amount of difficulty involved in cracking it.
If it takes 5 minutes without having to install any extra drivers etc,
that's pretty unworkable in my view - and that's what I suspect the
case is for most if not all such licensing schemes, unless they commit
the cardinal sin of tampering with my network settings. At that point
they may be more secure, but I suspect not 100%. The cost is too high
though, IMO.

You're going places that are way out the scope of this conversation. I
don't disagree with anything you just said in that paragraph.

Now, as with most holes, I suspect that it's not the case that
companies deem such a hole as acceptable so much as that they don't
understand the hole to start with.

Oh, I think you'd be surprised at the trade-offs a company is willing to
make. I agree those trade-offs aren't always great, but sometimes it is
the cost of doing business.

There are pros and cons. At least there isn't usually too much pain for
legitimate owners, however - no network settings tampering, for example

I wouldn't bet the farm on that. I'll bet that even some of the one-time
validation schemes dick around with net settings. And I bet they don't
even tell you! Not that I suspect it is prevalent or anything like that,
just that it wouldn't surprise me in the least.

I would be interested to see what those companies would say if a
5-minute zero-expertise (beyond reading a web page) crack were to be
presented to them. Of course, without trying out one of these products
(and knowing a valid licence key for a given MAC address) it's hard to
show that - but I have strong suspicions that their products aren't as
safe as they expect them to be. When a risk is accepted unknowingly it
shouldn't count as making the scheme involved "workable" IMO.

I think most would say, "oh well." Enforcing licensing is one of those
trade-off things where you decide how secure to make it and/or how
effective to make and/or etc. compared to how much money and/or time you
are willing to invest in it. Management will take some pretty strange
short-cuts sometime. But then we're now just talking about licensing
schemes and I think that in 9 out of 10 cases a "pretty good" solution
is just fine. Just try to keep out as many software pirates for as
little investment as possible and go with that. It doesn't need to be
bullet proof. Of course how much is invested depends on the vendor, what
they are willing to invest, and other factors like that.

Only if they understand the weaknesses of such a scheme.
Yep!


I just got fed up with the situation where I couldn't see that much
disagreement on what you actually believed, just on the words being
used.

And since you seem to be playing his defender, I admit that I got
entirely fed up with his condescending all the time. Especially when
someone gets to their point where their argument is "well clearly you
don't understand so I certainly can't explain it to you." It bugs the
shit out of me--almost as much as name-calling (though you have to admit
"the mighty" isn't necessarily derogatory . But I suppose they are
techniques we all use one time or another, whether we are aware of it or
not. I think a lot of people have a hard time stepping back and seeing
how condescending they can sound, especially in a forum like this. I
know I have been guilty of it in the past!

I don't think I've ever seen you so, ah, passionate about any other
thread in this forum before. You took the "Peter proxy" like a
gentleman. I was just joking around, and it just popped in my head while
writing that sentence and couldn't resist it. If we can't play around in
these forums, and they have to stay stodgy and "just the facts," well
who the hell wants that?

 

[Peter Duniho]

It is unfortunate that Jon allowed himself to be dragged down the same
rat-hole that I myself permitted myself to be dragged down. He has my
sympathy.

As I already mentioned, I see little point in any further effort on my
part in this thread. However, you've crossed a line by leveling false
accusations at me, and those I must correct:

G.Doten wrote:
[...]

I don't, but that's OK.

Jon's interpretation is exactly correct.

Frankly, I am at a loss to understand how you can justify the opposite
interpretation. I believe I have made exactly clear the exceptions I
feel exist, but at worst I have left some sort of ambiguity. I
definitely have not written anything that should lead you to an absolute
conclusion opposite of my intent.

It is telling that when presented with such an ambiguity (such as it may
be), you choose to infer a meaning that you feel is incorrect, rather
than offering the benefit of the doubt. This tendency to attribute the
worst to someone else is made even more clear here (from a previous post):

I didn't realize I called you a name, Jon. I think "the mighty" can fend for himself, as far as I've seen. He's certainly used worse on me (not that I care). However, you're right, name-calling is not useful at all.

The only person in this thread who has made any sort of personal attack
or engaged in name-calling is you. For you to claim that I have
"certainly used worse" on you is wrong, factually and ethically.

I grant that your name-calling has been mild as Usenet goes, but you
certainly have not shied from it and in fact you appear to relish in
creating a personal confrontation as part of the discussion rather than
just sticking to the facts. But you are alone in this thread with
respect to that sort of behavior, and I don't appreciate you falsely
claiming that you are not, especially when I am the target of that false
accusation.

Pete

 

[Jon Skeet [C# MVP]]

I think it is rather simple to get at the built-in MAC address for any
device that has them, without reconfiguring a system. Assuming, of
course, that what you pointed out isn't the case (i.e., that the
built-in MAC is always available and can't be hidden or otherwise wiped
out by firmware or whatever).

How? The web page you've used before as evidence of how feasible it is
certainly doesn't do it without reconfiguring the system.

At this point it would be worth breaking into code if possible - it
would be nice to have something to try to fool, if you see what I mean.

Because it *is* the standard for MAC addresses as they are used in a
network.

VMs appear on networks all the time. They aren't assigned unique MAC
addresses by hardware vendors, so don't follow the same standard of
uniqueness.

But it does work, in this case. Does it necessarily fit your definition
of what a licensing scheme should achieve? Maybe not. But that's not the
point.

If it doesn't achieve what any sensible licensing scheme should
achieve, it doesn't count as working in my view.

The fact is products do use it, whether you want them to or not.

I've never argued against that. There are products which do all kinds
of stupid things.

And since you seem to be playing his defender, I admit that I got
entirely fed up with his condescending all the time.

Condescension such as:

<quote>
I have to keep repeating myself because you don't seem to hear what I'm
saying. Just because you claim something isn't relevant doesn't make it
so.
</quote>

?

Especially when someone gets to their point where their argument is
"well clearly you don't understand so I certainly can't explain it to
you."

Sounds quite similar to:

<quote.

It bugs the

 

[G.Doten]

It is unfortunate that Jon allowed himself to be dragged down the same
rat-hole that I myself permitted myself to be dragged down. He has my
sympathy.

As I already mentioned, I see little point in any further effort on my
part in this thread. However, you've crossed a line by leveling false
accusations at me, and those I must correct:

And he's back! I knew you couldn't stay away! I missed you! (Laugh, damn
it.)

And why do you think I'm been holding my ground in this thread? Do you
think I enjoy being contradicted by you over-and-over again, especially
when my sense tells me you understand what I am saying perfectly well?
False accusations are indeed not fun.

Jon's interpretation is exactly correct.

Frankly, I am at a loss to understand how you can justify the opposite
interpretation.

Did it ever occur to you that you may not have chosen the best words to
precisely describe what you were trying to say? "Interpretation" in this
case is a perfect word. Jon perhaps interpreted what you said one way, I
perhaps interpreted it another; if you are at a loss to understand how
that can happen, well, it's the nature of language. English is not like
C#. My having said "I don't" does not in any way imply or otherwise
justify someone reading into that that I take the opposite stance to
what I was commenting to; it leaves things wide open for interpretation.
As does Jon's "I really don't *think* so" statement. There's no 1s and
0s in English, unfortunately.

For example, if you had said "It is true that the MAC address is unique
among default, manufacturer-assigned (aka built-in) MAC addresses." Then
I, for one, would have understood perfectly what you said. But you
didn't say that, and you said the opposite for a reason, at least my
interpretation leads me to believe you intentionally obfuscated what you
said. Did you intend to? I can say that having experienced your defense
mechanism so much these past few days that my interpretation is that you
did. If you can't see how someone can come to that conclusion, then I'm
sorry, I don't know how else to explain it.

I believe I have made exactly clear the exceptions I
feel exist, but at worst I have left some sort of ambiguity.

You believe the facts you have stated to be true, as do I. But the
nature of language unfortunately always leaves room for ambiguity.

I
definitely have not written anything that should lead you to an absolute
conclusion opposite of my intent.

I can't know your intent except by what you have written. Clearly, I
disagree with some of the stuff you've written. Where I agree I've
stated that explicitly. How you can twist my intent I do not understand
either.

It is telling that when presented with such an ambiguity (such as it may
be), you choose to infer a meaning that you feel is incorrect, rather
than offering the benefit of the doubt.

That's exactly what you have been doing with me, well put. Until you got
to the point of "oh he's in his own world, I'm 'done'."

This tendency to attribute the
worst to someone else is made even more clear here (from a previous post):

Now you are generalizing, and have no facts for such a generalization.
I've posted in this forum many hundreds of times. I challenge you to
post sufficient examples to generalize that I condescend.

The only person in this thread who has made any sort of personal attack
or engaged in name-calling is you. For you to claim that I have
"certainly used worse" on you is wrong, factually and ethically.

First of all, "the mighty" is hardly something to be concerned about. If
that bothers you, you need to grow a thicker skin. Factually and
ethically, that's rich. But if you want to deny what you've written,
feel free. Name-calling is not always explicit, being condescending to a
person is, I would say, a far worse form of name-calling. *Especially*
compared to the term "the mighty."

Is this thread now going to be the condemning and the defense of the
term "the mighty?" It is used quite positively in these circumstances:

- The Mighty Organ - http://www.themightyorgan.com/
- The Mighty Sparrow - http://www.mightysparrow.com/
- The Mighty Geek - http://www.themightygeek.com/

Why did you jump to the conclusion that I was using it for name-calling
in a negative sense? (Other than I admitted to it after the fact.) Feel
free to call me The Mighty Glenn. I like the sound of that.

I grant that your name-calling has been mild as Usenet goes, but you
certainly have not shied from it and in fact you appear to relish in
creating a personal confrontation as part of the discussion rather than
just sticking to the facts.

Now that's calling the kettle black. Your attitude in many of your posts
leads one to believe you relish in such behavior.

But you are alone in this thread with
respect to that sort of behavior, and I don't appreciate you falsely
claiming that you are not, especially when I am the target of that false
accusation.

If "the mighty" is name-calling, then your writings invite you to be
tarred-and-feathered from the forum. You see, from where I sit and read,
you have this attitude of superiority to practically everyone in this
forum, whether you intend your writing to come across like that or not.
Could I be misreading that? Admittedly, certainly yes, but I'm not the
only one. Do I think you do not contribute useful posts? Nope. Do I
think you are a bad person? Probably not.

But please, try some humor. It makes the day much more pleasant, and
this is C# nonsense after all, and way to unimportant to get yourself
all worked up over.

Yes, I am having fun. At this point in my career I'm in this industry
far more for the interaction with other people in it and how the
interpret, react, implement, and otherwise play with the bits-n-bytes of
the technology. This discourse, at least for me, has been tremendously
insightful. Not only on the nature of yourself, Jon, and some others,
but on the nature of myself and how the technology points that have been
raised have been discussed. Have fun coding, and always be open to
discussing, even if you don't believe you see the other person's point
of view. It's the best part of the game!

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

Interesting points, Jon. Although I wonder if anyone can confirm #1
definitively. I have been assuming (from experience) that the built-in
MAC address is always accessible at least by kernel-level code. But I
will be the first to admit I don't know this to be a fact for all
devices. I'm happy to take your word on it.

I would guess that most ethernet address checking code just checks
the ethernet address being used.

And that can be set by software for many/most cards.

Arne

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

I would guess that most ethernet address checking code just checks
the ethernet address being used.

And that can be set by software for many/most cards.

Oh and BTW then I think licenses tied to some specific hardware
is a horrible idea.

A real nightmare for sysadm's.

Arne