I've had to slightly edit the formatting of the interview to work with this site, so I've also attached to this post the original, unformatted version in a zip file.
1.) What is the easiest protection scheme to crack? Time limits? Disabled features? Serials? Nag Screen? Adware? Other?
That always depends on the cracker you're asking and their skill level. An experienced cracker who's been doing it for years will tell you that they are all simple and none is easier than the other. Some crackers have specialties and like to work on one type over another (i.e focus on "Time Bombs.") In general I would most likely say that Nags or Time limits come the quickest to the newbie cracker. However as a shareware programmer myself, that doesn't mean not to use them. I use strategically placed nags in my own programs, not to necessarily stop crackers, but to encourage registrations, but at the same time, it's one more thing that the cracker has to spend time on.
It's no secret that most crackers like to whip through each program as quick as they can while still making a 100% working crack, so the more annoying to a cracker the program is (while still keeping it transparent to the regular user) the more likely they will just get tired of messing with it and move on. Contrary to popular belief, crackers are not out to get anyone. It's rarely personal and most programs are on and off the chopping block just like that. <snap> But all that is already pretty well known and I'm not going to get up on a soap box using the same old canned defense we've all heard for years now.
2.) Can you give some input on each of these schemes?
a.) Which is the worst?
The worst is a hard coded serial number. In case your unsure of what I mean by that, it's when the programmer puts the serial number right into the code and then compares the entered serial with that to validate it. It shows up right in a hex editor and literally takes seconds to "crack" the program. In fact, this isn't even cracking. A 2 year old could do that. For the love of God man -never- do that, ever... But if you decide that you just can't control yourself and absolutely HAVE to do it, at the very least make a bunch of variables and store small pieces of the serial number in each one and move em all around in the code, then stitch them back together when the time to compare comes. Then in the hex editor it at least won't show up as a single code and the cracker will have to take another second and a half to see it in a debugger. <grin>
A close second would be a commercial protection scheme such as RSAgent for example, or Timelock. Once it's understood and cracked, a thousand programs now become freeware including yours if you used it. Make your own. It's better for you, it's better for us. It's better for the world as a whole.
b.) Which is the best?
The best is a dongle (hardware lock). They are a big pain in the arse even for experienced crackers. I'd have to say from my experience that only about 10% of the crackers as a whole can do dongles. I've known crackers that can do dongles who choose to do nothing but dongles and get paid very well for doing them. It's the one area of cracking that pays. Protecting your software with a dongle can be expensive though (usually only programs that charge thousands are dongled) and can be overkill if the program is a piece of crap or simply isn't worth it. In the same breath, don't waste your time overprotecting your software if it's not something really good. Going nuts on a 15-20 dollar piece of shareware is a waste of your time.
c.) Which makes you laugh?
See "a" above.
d.) What is the most difficult scheme to crack?
See "b" above.
e.) Are a combination of schemes more effective? Or just a little more annoying?
Usually just more of an annoyance. But if you annoy a cracker enough he might get bored, discouraged or just sick of f*cking with it and move on. Get experimental with the debugger detection. They can help annoy. The ones that are out now are known and therefore easily gotten around, but keep coming up with new ideas. Get creative. It's what fuels both the developers and the crackers, and it's one more thing the cracker has to circumvent in order to just see whats inside. Same goes for disassemblers and decompilers ..
3.) If you were to protect OSCAR, how would you do it? Why?
I would leave out about 2/3rds of the serial numbers (leaving only the program name to let the end user see that the program they are looking for is available in it) and make them only available in the registered version which I would then have to ship out to each customer as a whole program rather than a database update.
"Why" I would do that I don't know since there are probably at least 4-5 other giant serial lists available for free.
4.) Is there anything out there the PC simply CAN'T crack?
There's no protection scheme that is not crackable at the moment. There was a time when crackers feared the 'server check' but that's long gone by now. Although some make it pretty difficult still (i.e. Battle.net) As long as a good cracker has tenacity and the desire to stay with a program it's gonna go down. The best you can do at this time is leave out code and create what's called 'crippleware.' Leave out an important chunk of code that the end user would definitely want/need but at the same time doesn't piss them off enough using the trial that they decide not to register. Print and Save are common ones, but a really good cracker, with the desire can add that code in himself at times.
5.) I once read in a PC tutorial that apps written in Visual Basic are hard to crack. Is this true? If so, why?
It used to be back in the vb3 and especially vb4 days. Not that they were uncrackable, but just more of a pain in the arse than most crackers wanted to spend time on. It had to do with the call to the runtime and the vb native code. Basically the older vb exe's were somewhat of a loader containing only certain information regarding that particular program and then doing everything in the runtime itself. If you tried to patch the runtime it could mess up it's interaction with other vb programs that needed to use it as well. Not to mention, the old vb apps looked like crap and usually were crap. Nowadays vb is a little different where it contains more of it's own code in the actual exe itself and is actually pretty easily cracked (although for many crackers it still seems to be a problem for them, I personally am happy when I'm forwarded a vb app to crack because I find them very easy). Sometimes more so than say a Delphi coded bloatware app. Tip to vb developers, sometimes compiling it to P-Code helps make cracking it more difficult, especially since there is no real P-Code Disassembler out at the moment (expect that to change soon) but you will have to trade some speed. Then again, with processors hitting the milestones that they have been, it may not be that noticeable anymore. But that is a whole different discussion.
Now if I could just f*ucking afford one without having to take out a tenth loan, or stealing baby teeth to sell to the tooth fairy ...
6.) Are there any new security techniques that has PC worried?
Just handcuffs. <g>
7.) If an author didn't protect their software, would that encourge or discourage more people to register?
Definitely discourage. Not many freeware authors I know of cruising the coast of Hawaii on a 50 foot yacht.
8.) Any advice you would like to give the developers?
Don't take it personal, no one's gunning for ya. Usually ...
Also, even though it can be discouraging when you just busted your arse on a program and just want to get paid for it now, and you see a crack out for it, remember that by the constant back n forth between the crackers and developers, software is evolving, getting better, and people are becoming more creative when it comes to coding in order to fend off the crackers. Only good things can come out of this creativity in the long run. Over the years I have already seen a nice evolution in some of the protection schemes and thankfully things don't stagnate for too long. My advice for developers is to learn learn learn. Know your language from inside out. As soon as new stuff comes out jump on it and learn it too. And then be very creative with your protections AS WELL AS your program itself. Make a dang good program and people will register it. That's the bottom line. God knows how many lame notepad programs I've had to crack.
One last thing, don't try and take on crackers. There's just too many out there and if you try it, they will definitely focus on your program and be sure to attack each version that comes out, sometimes for years. I've seen situations like that get pretty ugly for the programmer. Instead, if it's possible, try emailing them asking if they have any suggestions for how to better protect your program. We have some real geniuses out here cracking and in general they are very helpful when asked. I have had dialog with quite a few authors myself and helped them out. And I know of a few other crackers who have done the same in my group alone. Many are also authors.
Oh yea, if you're a big developer, rather than try and get all the crackers thrown in the hoose-cow, hire them instead. You'd have a guy (or girl) working for you that obviously loves code as a hobby, has definite skill, definite intelligence, a natural curiosity, and would be able to help you protect your software from first hand experience in the field as well as do the programming on it. Don't focus so much on degrees, there are alot of geniuses in the field that don't have any and your losing out because of your rigidity.
9.) Please include a short PC history and bio about you if possible.
All history on Phrozen Crew can be found at http://www.phrozencrew.com. (GeekDrop Note: Site no longer exists) It includes a history on us as well as current information to date.
A small bio on me would go something like this:
Handle: ThE STaRDoGG CHaMPioN
Group Affiliation: Phrozen Crew
Role: Council Member/Head of Cracking Division/Cracker
Years in PC: 3 1/2
# of personal releases: Approx. 600 for PC, approx. another 600 non-released
Age: I'd tell ya but I'd have to kill ya
Looks: Very very handsome <g>
I can (sometimes) be contacted at firstname.lastname@example.org
(GeekDrop Note: Email address no longer exists)