Jump to content

We need a new password cracker :-(


Recommended Posts

Well in the same way you can of course argument that users do not want to pay for contents and software and therefore it is legal to crack software and put it on the street for free. However there are users who rather pay some money for something useful and also enjoy the added benefit to not download viri festered content that way (most crack download and password cracker sites contain nowadays mostly unhealthy junk if they even contain a single working crack of what they claim to do).

 

And as Djed and James pointed out, the password protection is there because of user request, not to protect the few NI secrets they have (they are better protected by putting them in the 30MB of binary compiled LabVIEW executable code nowadays, and a few more 1000MB of compiled shared libraries). So which user do you want to protect with your password crack? The one who feels nobody has a right to prevent him from seeing a diagram, or the one who produces content for people to use, without wanting to throw all the details on the street.

 

There have been numerous cases of people posting "their" own libraries on various LabVIEW sites, some of them copying open source VIs verbatim, others copying functions from commercial toolkits. If your  position is that nobody has a right to hide his code from you you may have to live with the consequences that that code is not developed anymore for sale, but kept internally, so nobody can profit from it anymore.

 

Well, why do you think someone being very much active on this forum and providing contents and answers should pay, while someone who mostly uses this forum to talk about how to hack the software the forum is about shouldn't?

 

I never said I have any less of a moral obligation to pay as anyone else; just that I don't think a premium membership is worth it. I'm 19; I don't have a steady income yet.

 

Also, the only reason I feel entitled to look at the diagram is because it's in the VI file. If it's on my computer, I feel I have a right to look at it. If LabVIEW didn't have access to the block diagram, I wouldn't necessarily feel I should, but seeing as it's on my computer in an unencrypted form, I see it as fair game. Understand?

 

I'm not trying to "protect" anyone with this hack. Nor is it taking away any protection. By leaving the block diagram in the VI, they are throwing all the details on the street, as you put it.

Edited by flarn2006
Link to comment
The other thing to consider is, right or wrong, there are a number of people using this feature out there already. (I don't know numbers or anything but I have certainly seen it). I don't think they would be impressed in NI turned around and said its been compromised but we aren't going to attempt to improve the protection you are using on your IP. I do always recommend removing the diagram if it is highly sensitive though.

Indeed. However removing diagrams is a maintenance nightmare if you are providing cross-platform, multi-version support.

 

I use the password protection on the installer for the SQLite API For LabVIEW. Mainly to hide the mess underneath :D , but also because it's actually another development (a  "Wizard Creator") that was co-opted very early in it's development to be used as a quick and dirty installer and can be a bit pedantic when fiddled with. If someone hacks that, it's just a testament to their character rather than a serious commercial implication for me. The API itself (the real software) is open source and relies on the "honor" system for purchasing which most of the LV community have the integrity to adhere to. However. If I had tried to make the installer "source-less" I would have ended up with 8 installers (and counting) just for windows let alone the other OSs.

Link to comment
Also, the only reason I feel entitled to look at the diagram is because it's in the VI file. If it's on my computer, I feel I have a right to look at it. If LabVIEW didn't have access to the block diagram, I wouldn't necessarily feel I should, but seeing as it's on my computer in an unencrypted form, I see it as fair game. Understand?

 

So if you happen to park your car (suppose just for a moment you have one, might not be true for someone who is 19) on my ground, I'm free to do with it as I wish? I really thought property right works a little bit different!

  • Like 1
Link to comment
rolf, I think you are getting flarn and I confused.

 

I am against the password protection for the reasons I have mentioned: it is of little or no value to myself and I would imagine the vast majority of other LabVIEW developers. I said originally NI is totally within their rights to put whatever they want into their closed-source, original IP software. As an end user this does not mean I have to like it though, especially when it starts to impact on my ability to do my job.

 

Now, don't get me started on the moral aspects of somebody else tinkering with a system that they own (software, hardware, whatever) to modify some aspect of it that they do not like. I think its fair use to be able to say, ok I am going to screw around this, if I break it its nobody's fault but my own. Don't tell me you are against somebody ripping a DVD (circumventing CSS and thus breaking the law) so that they can watch it one their portable device.

 

I know the license agreement we all had to submit to when installing LabVIEW probably prohibits all sorts of things, but I think it is pretty widely accepted that these forms are licensing are basically useless.

 

Logically putting a password on a diagram is not that different than locking your house door. Can a locked door be forced open? Yes of course! Would you consider it rightful to do so? Probably not! Never mind that you would probably even find it very unfriendly if a stranger enters your house when you forgot to lock the door.

 

The diagram of a VI is not your property, in fact it never can be (except maybe in some banana republic) unless you created it yourself or the original creator abandoned copyright explicitly. Putting a password on a diagram is the complete contrary of saying: Here is my diagram, do with it as you wish! and therefore breaking it is in fact just the same than forcing open a door to a house that is not yours.

 

And to counter your possible argument that the Vi is on your computer and HD, if your house stands on some ground that is leased from someone, it is still your house and you would get furious and call the police if the owner of the land forced your door open to nose through your belongings.

Link to comment

I've shortened quotes for sanity and added parenthesized numbers after statements to indicate what I'm replying to where.

[...] As for intellectual property, it's their fault for expecting miracles from what is essentially security through obscurity. If they care so much about their precious code, they can just remove the block diagrams, and deal with the side-effects. (1) Open source is the way to go, and NI shouldn't help people hide their code if those people choose to release it unencrypted. (2) If the block diagram is accessible to LabVIEW, but it doesn't obey the user who wants to view it, that is certainly not user-friendly, and I could even go so far as to classify it as a bug. (3)[...]

Also, does anyone else see the irony in describing a "feature" designed specifically to go against the wishes of the user whose computer it's running on, as a "user-feature"? And how is that not DRM? [...]
  1. Yeah, it is kinda silly that people expect miracles from it.  That's why in 2012 we added this to the password dialog:
    post-17894-0-20825800-1358240814_thumb.p
    And why we published Security of LabVIEW VI Password Protection vs. Removing VI Block Diagrams.
    And why we continue to openly state that it is circumventable and only provides as much security as a locked door -- a determined intruder will get in due to the nature of a house.  You want the homeowner to be able to get in a house and open the windows.  You want LabVIEW to be able to get into the VI and open the block diagram.  You can break the window or use a battering ram, or you can use the key.  NI made this clearer in 2012, though no amount of warnings or papers will be enough for some people.  That's why it's silly for people to rely on that.  But just because they weren't smart/motivated enough to protect themselves does not give you the right to break in.
  2. Open source is great and I'm a huge fan.  I've been running various flavors of Linux exclusively for 9 years.  And I'm a software engineer.  I realize that although great things come out the FOSS community, it is very very very hard to make a living off of FOSS software.  Most FOSS software doesn't have a large enough user base (or code base) to make money purely off of support.  You need to pay for software sometimes because that's how the technology industry works.  We software engineers need to be paid, too.  If you're only looking at VIs and not misusing the contents (plagiarizing source code, redistributing, stealing) then I don't think there's much harm.  However, I think there is harm in immediately releasing information on how to break password protection because other people will misuse it.
  3. You are not the only user.  LabVIEW is obeying a different user and disobeying you.  Why should LabVIEW disobey a different user and obey you?  Just because it's your computer doesn't mean you gain rights over other people.  You choose to run LabVIEW.  If a parent tells a child they can't have ice cream before bed, that doesn't mean the can have ice cream before bed in someone else's house.

 

[...] It is strange that NI seems to be putting this above things that seem more important to developers...[...]

This was probably on the order of 1/10000th the effort put into LabVIEW 2012.  We don't only have a duty to develop features important to customers, but also to continue to support older features important to customers, even if the feature isn't perfect and cannot be.  Don't throw out the baby with the bath water.

 

Well. The adult way to go about it is to furnish NI with the exploit so they have the chance of evaluating whether they want to expend the effort in plugging it before you release it into the public domain. This would allow you to gain a moral position rather than just looking like a petulant script kiddie. Careers have been made this way and the skills are usually prized rather than punished.

 

White hats and black hats come from the same milliners, however they are viewed and treated very differently both in the community and in the law courts.

 

[...]If I was just going to tell NI about it, I wouldn't have gone to the trouble of finding it in the first place. Who would telling NI help? (Other than NI, of course.) Who do you think I'm more interested in helping: a large company that makes millions of dollars from selling expensive software and hardware, or those products' community of users?

 

Again, I'd really like to release this hack, but I'm holding off because I'm not a lawyer, nor do I have a lawyer, and I'm not sure what kind of trouble if any I could get in by doing so. If anyone has any questions about the contents of one of NI's password-protected VI's, of course I'll answer them.

Although ShaunR opened with a bit of a dig that really blunted his message, I think he's definitely got the right message.  flarn2006, check out Responsible Disclosure and a quick list of companies with Responsible Disclosure policies.  Although NI doesn't have one, we have worked within the general framework of responsible disclosure with many people.  If you'd like more of an assurance, I can try to find something for you.

 

Finally, even if you're helping NI, it's probably not going to make us significantly more money.  It might not even make us money.  But you will also be helping customers by helping ensure customers have a more secure application.  You talk like you're fighting a battle for the proletariat, the unwashed masses of LabVIEW users, against NI.  In reality, we're pretty open to playing ball as long as you don't make it a pain.

 

  • Like 1
Link to comment
rolf, you really now are getting flarn and I confused. You know we are two different forum members right?

 

Not really. It also is in answer to some of your points, although yes it clearly is targeting also and even more so the points flarn makes.

 

While it is unlikely that you will get into legal problems if you look at a VI diagram that was not intended for you to look at and if you only use that knowledge internally, without redistributing what you learn from it, it is still not legal to break the password at all. Forcing the door of a house is illegal independent if you want to steal something or just nose around for your curiosity (or find out what has been done wrong there in order to not make the same mistakes in your own house).

 

If you or anyone else doesn't like the password protection of a VI, you should not download it or ask for a refund if you bought it, and cease using the VI and any accompanying software altogether, not breaking into it to use it anyways in the way you like.

Link to comment
Not really. It also is in answer to some of your points, although yes it clearly is targeting also and even more so the points flarn makes.

 

While it is unlikely that you will get into legal problems if you look at a VI diagram that was not intended for you to look at and if you only use that knowledge internally, without redistributing what you learn from it, it is still not legal to break the password at all. Forcing the door of a house is illegal independent if you want to steal something or just nose around for your curiosity (or find out what has been done wrong there in order to not make the same mistakes in your own house).

 

If you or anyone else doesn't like the password protection of a VI, you should not download it or ask for a refund if you bought it, and cease using the VI and any accompanying software altogether, not breaking into it to use it anyways in the way you like.

I wouldn't try to make a profit off somebody else's block diagram without their permission, password protected or otherwise, but I don't see anything wrong with messing around with it, as nobody is any worse off than they were before.

Also, of course I wouldn't force open someone else's door to look around their house. With a password-protected VI, on the other hand, I'm not doing anything with anyone else's property (intellectual property aside.) Intellectual property is very different from physical property. The latter makes perfect sense, as it can only be in physical possession of one person, and if someone else takes it, they're depriving me of it. The former, however, exists only in the form of information. The idea of a certain sequence of bytes being the possession of one person any more than any other is purely a legal invention. As long as I'm not making a profit, depriving someone of something, or falsely claiming credit, I don't see any moral issues.

Back on topic: can I get an answer from an NI employee about what exactly could happen if I post how to bypass the password protection: Obviously I won't want to post it if I could get sued or something, but if not, I'd love to share my findings.

Link to comment
I wouldn't try to make a profit off somebody else's block diagram without their permission, password protected or otherwise, but I don't see anything wrong with messing around with it, as nobody is any worse off than they were before.

 

Whilst I agree in principle that no harm is done there is a reason why they have password protected it and you have therefore gone against their wishes without know why they have put the password on. It is also hard to prove if you work on something similar that you have not taken inspiration from their IP (and there is little legal protection against this I believe). There is a reason why we have curtains on our bedroom windows  ;)

 

I can't speak on behalf of the organisation regarding what would happen if you posted it, but it would certainly appear to be in breach of your license:

 

 

Restrictions. You may not: (i) reverse engineer, decompile, or disassemble the SOFTWARE (except to the extent 
such foregoing restriction is expressly prohibited by applicable law); (ii) use the SOFTWARE to gain access to unencrypted data in a manner that defeats the digital content protection provided in the SOFTWARE;

As for the consequences I don't know exaclty, presumably you could be at risk of being sued, especially for disseminating the information. If your employer owns the license they probably wouldn't be to impressed!

Link to comment
Whilst I agree in principle that no harm is done there is a reason why they have password protected it and you have therefore gone against their wishes without know why they have put the password on. It is also hard to prove if you work on something similar that you have not taken inspiration from their IP (and there is little legal protection against this I believe). There is a reason why we have curtains on our bedroom windows  ;)

 

I can't speak on behalf of the organisation regarding what would happen if you posted it, but it would certainly appear to be in breach of your license:

 

 

As for the consequences I don't know exaclty, presumably you could be at risk of being sued, especially for disseminating the information. If your employer owns the license they probably wouldn't be to impressed!

Then I'm afraid I won't be posting it. :( It's a shame, really, but I really don't want NI's lawyers to go after me.

I've seen some posts before about people having lost the password to their own VIs; could I get in trouble if I offered to unlock those for them as a favor? (and then, of course, actually did so?) In that case, I wouldn't be going against anyone's wishes, except maybe NI (though if they just need help with their own IP, I don't see why they would care.)

Edited by flarn2006
Link to comment

You could share it with NI and help everyone that uses the feature, you would probably help more people!

Well I don't think anyone you help is exactly going to go trying to get you in trouble are they. But then it might not be their software and then you are aiding IP theft.

As I say, I don't know exactly what could happen but I'd say there are as many people who stand to get hurt from it as benefit, just because you say you would be ethical with it, I've heard there are some unscrupulous folk on this Internet (though I don't believe there are many wandering the LAVA corner of the net)

Link to comment
You could share it with NI and help everyone that uses the feature, you would probably help more people!

Well I don't think anyone you help is exactly going to go trying to get you in trouble are they. But then it might not be their software and then you are aiding IP theft.

As I say, I don't know exactly what could happen but I'd say there are as many people who stand to get hurt from it as benefit, just because you say you would be ethical with it, I've heard there are some unscrupulous folk on this Internet (though I don't believe there are many wandering the LAVA corner of the net)

 

Thanks for the offer, but the only way I'll ever improve DRM is by disabling it. :P I won't "help" them by giving them a false sense of security.

Besides, if they tell me it's their software, so I disable the password, wouldn't the law be on my side considering I had no way of knowing it wasn't theirs? As I mentioned, I'm not a lawyer, so I could be wrong.

Link to comment
Thanks for the offer, but the only way I'll ever improve DRM is by disabling it. :P I won't "help" them by giving them a false sense of security.

Besides, if they tell me it's their software, so I disable the password, wouldn't the law be on my side considering I had no way of knowing it wasn't theirs? As I mentioned, I'm not a lawyer, so I could be wrong.

You are wrong. 

 

Stealing is easy, and if you are offering such services you should be very picky about who you help. You should ask for a written statement from the requester, store that together with the original VI and resulted VI. You should verify that the requester is indeed the IP owner (look at the VI history etc.) THIS IS NOT ANY ADVICE THAT WILL PREVENT YOU FROM YOUR RESPONSIBILITY. AND I WILL NOT BE HELD LIABLE.

 

However I'm glad that NI is improving the security of secured VIs. If they hadn't they had said 'We don't value this function of LabVIEW'. 

 

Putting a lock on something is sometimes just symbolical (like a bike lock in Amsterdam), and sometimes real (like a door-lock on your house).

However in both caes it's illegal to open the lock with anything else than the key.

 

Ton

Edited by Ton Plomp
Link to comment
As long as you are the owner of the bike. 

 

That's what he said.

 

Also, remember I mentioned VI Explorer at the beginning of this thread? I got an email back from him and he said he's working on making it work with LV 2012, so we'll probably have a solution soon that doesn't require modifying the EXE.

Link to comment

I just noticed the following piece of bad advice given by the VI Analyzer:

Test Description: Checks whether the block diagram is present. Do not remove a block diagram from a VI because you cannot recover it. You can password protect a VI if you do not want users to view the block diagram.
Edited by flarn2006
Link to comment
Yes and No.

Consider the case where I lock my bike up and lose the key. It's not illegal for me to break the lock and take my bike back.

OK, but now someone comes to you and says he owns the bike, but lost the keys (and the spare keys). And it's a bike of €2000. Now the story is whole different.

 

Ton

Link to comment
I seem to remember NI saying something along the lines of "if you lose the password to your BD we cannot recover it for you". Classic politician/lawyer speak: 100% true, but actually skirts the issue totally  :lol:

 

NI has in the 15 years or so that the password protection existed, revisited their semi-official response several times. Officially they never publicly committed to helping recover VIs with lost passwords. Unofficially they did make some efforts to help well known customers recover their own VIs, if they could proof reasonably well that it was actually their VI. As that could get easily into a legal and administrative nightmare, they seem to have more than once issued an ukas internally to stop providing this service altogether yet it seems to have surfaced every now and then again, if a customer knew the right person to contact. Supposedly that would be someone rather high in the command chain of NI management.

 

 

I just noticed the following piece of bad advice given by the VI Analyzer:

 

 

 

It's not a bad advice at all! Removing diagrams is just about the worst you can do for distributing VIs. If you are not careful and keep several copies of your source code you can end up VERY easily with no source code at all. That I would consider worse than having the source code exposed to some unscrupulous people no matter how precious that source code is. If the source code is not important enough to warrant a %$#$%$#%#$%#$% comment when you notice that it is gone, you certainly wouldn't worry about someone "stealing" that source code, and if it is a multibillion dollar IP, then good riddance if you loose it!

 

Also distributing VIs without source code requires you to provide one copy of the VIs for every (minor) LabVIEW version and platform you want to support. That is just about one of the bigger nightmares to happen in terms of maintenance and support.

Link to comment
I seem to remember NI saying something along the lines of "if you lose the password to your BD we cannot recover it for you". Classic politician/lawyer speak: 100% true, but actually skirts the issue totally  :lol:

You mean a Mathematician's Answer? Yes, it's true that they can't recover the password, but they certainly can recover the block diagram, which is what you want. If they couldn't do that, neither could I. :)

Edited by flarn2006
Link to comment
  • 1 month later...

Just stumbled upon this thread...

 

@flarn2006: It's hard for me to see your points in any light different than the "new generation's view that everything in this world was made for them, and nothing that CAN be obtained is to be held from them". A few of my own comments:

 

- There is no difference whatsoever between intellectual property and physical property. If you can't see that then you just have to live a while longer and it will dawn on you eventually.

 

- You WILL get into trouble for releasing to the public any information that helps break the LabVIEW password protection scheme. The definition of "public" being any entity outside yourself basically. You will be in breach of NIs license agreement as well as the intellectual property laws of almost any country. Those laws typically state that if a lock is in place, you may not attempt to break it. They do not consider themselves with the strength of the lock, merely its presense.

 

- Personally I'm for DRM when it's done right: it's the sole right of the intellectual property owner to chose which platform you may use the digital content on or with. The problem is that 99.9% of all DRM protected material is flawed by nature. The usual beef people have with it is that they felt they were promised that the digital content would work on some device that it turns out it doesn't. That can be categorized as mislabelling to downright fraud from the seller's side, depending on the circumstances. Unfortunately it's really hard to come down on a big company when they have promised you something that they can't or won't deliver.

 

It's actually difficult for me to grasp how you can think that you own the intellectual rights to some software that you've only paid a tiny fraction of the development cost of? Do you sincerely believe it's OK for you to reverse engineer Word for instance, just because you forked out a couple of dollars for it? "Reverse engineering" in my eyes is just a matter of level. A password protected VI takes less work to get back to the clear source code, while an object file is a bit harder to reverse. You have in both cases been locked out from viewing the "source". It's not yours. And simply by looking at it, you obtain valuable information.

 

Of course it's a pain if it's your own VI that happened to have a malfunction with the password protection scheme, but then as suggested you should contact NI to get it resolved.

 

Regards,

Steen

Link to comment
- There is no difference whatsoever between intellectual property and physical property. If you can't see that then you just have to live a while longer and it will dawn on you eventually.

This is just silly.  Of course theres a difference.  If there was no difference we would use the same word to describe both types of property.  In the dictionary if you look up Intellectual Property it will not say "See Physical Property".

 

I also don't condone releasing anything to break NI's password protection scheme, but I also think it isn't in your place to say that he "WILL get into trouble" if anything is released.  What happened to the last guy that released a password cracker that works on all VIs between 7.x and 2011?  Well I don't know for sure but his website is still up with the source code, and will even remove the password by uploading a VI.

  • Like 2
Link to comment
This is just silly.  Of course theres a difference.  If there was no difference we would use the same word to describe both types of property.  In the dictionary if you look up Intellectual Property it will not say "See Physical Property".

 

I also don't condone releasing anything to break NI's password protection scheme, but I also think it isn't in your place to say that he "WILL get into trouble" if anything is released.  What happened to the last guy that released a password cracker that works on all VIs between 7.x and 2011?  Well I don't know for sure but his website is still up with the source code, and will even remove the password by uploading a VI.

 

Lets' take the latter first; No, you're right, I cannot (nor would I) guarantee that anything bad will happen to our guy here. Of course not. What I really meant was that he would be breaking his contract, so he's not on safe ground. Almost no matter the circumstances, an exception being force majure-like circumstances where there could be legal outs to breaking an otherwise legally binding contract (the whistleblower policies for instance). But by "getting into trouble" you could argue that he derates his personal value, and maybe choses the path of lesser opportunity - i.e. he is less trustworthy if he choses to break a signed contract, and that will stack up against him eventually. Anyways, I reread my own post and I may be coming off as something of a doomsday preacher. Sorry about that to all of you!

 

About the non-equality of intellectual and physical rights. You're right again, they're not the same, but similar in many ways. Especially more similar than flarn2006 seems to recognize. It's a topic that can't be treated with fairness in this forum, it's far too complicated. My isolated point was that regarding ownership and who-can-decide-what they are very equal. If you agree to some terms of usage, well you will have to abide by those rules. But there are several differences as well, but not in favor of the end-user; the clause of termination rights for instance, that does not exist for physical entities (I'm grateful for that). Add to this that intellectual property is treated slightly differently in different legal domains, but so are some physical property laws. So sure, they are not equal but equivalent. flarn2006 seems to think that "intellectual property" equals free-for-all though, and that's my main concern.

 

/Steen

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.