Quote:
Originally Posted by TippeX
a skilled person would be able to figure out what was sent..
|
If the data is encrypted? Forget it! Even a skilled cryptanalyst could take 1-2 years to decipher strongly-encrypted content.
Quote:
Originally Posted by TippeX
when you buy something in the shop with a credit card, does that shop also not have your name, credit card number (and probably access to your address)?
|
No they do not. They'll have your name and credit card details only - which is why many ask for an address separately for marketing or product warranty mailings.
Quote:
Originally Posted by TippeX
if a game did record personal information and sent it when you registered / logged onto their server it would be pretty damned stupid.
|
Nonetheless it has happened. Blizzard
did this with StarCraft 10 years ago (in this case, extracting user names and email addresses from the Windows Registry).
Quote:
Originally Posted by TippeX
the protection companies have better things to do
|
Really? And on what experience do you base this judgement? Do you work for one such company?
If having "better things to do" was their main criteria, most protection companies would be closing down. Their products don't actually
benefit anyone (cost and inconvenience to developers, further inconvenience to users, little to no perceptible effect on piracy) but they play on the fears of publishers in order to make their living. In their eyes, the end customer is a resource to be exploited (and often demonised as someone who would pirate at the drop of a hat if not for protection system X) so if a little extra profit can be made by harvesting and marketing personal data, their main concern would likely be covering themselves with a open-ended EULA.
There is plenty of monitoring online already (financial sites like Paypal or American Express supplying visitor data to Omniture, retailers reporting purchases to ShopZilla, Nextag or Coremetrics, smaller sites using Google Analytics) so this is a well established (and presumably profitable) business. It is only a small step for a company using compulsory online activation system to contribute to (and benefit from) this.
Quote:
Originally Posted by TippeX
as for the data being encrypted 'in transit', it has to be plain text at one point in time for it to be stored and then encrypted, a skilled reverse engineer could find it by simply backtracing buffers when the data is actually sent out...
|
If cracking encryption was
that simple, then nobody would rely on it. As long as a verified algorithm is implemented properly (and that certainly can be harder than it looks), it isn't going to give up its crown jewels when someone fires up SoftIce or anything similar. In the case of pre-existing data (which is what is under discussion) there would be no need to store cleartext separately anyway - just encrypt and send. You could use other software to monitor (and restrict) file and registry access, but this would only be feasible for the most technically expert users.
15-05-2008, 11:44
Similar Threads
Threaded Mode