Several weeks ago, I posted an article on how to defeat Nitro-LM, a commercial licensing and encryption tool for Flex/Air application developers. I came across this product during my search for a satisfactory intellectual property protection solution for my other projects. Of course, one way to test if this Nitro-LM framework is really as secure as it claims to be is to try breaking it myself.
While the Nitro-LM product website boasts a whole array of advanced security features, the architecture of the product is ultimately flawed. It only took me one evening to break the protection and to obtain the encryption key. There were a few challenging moments, and it was a fun academic exercise. I posted the procedures and my experience on this blog in hope to spark discussion on intellectual property protection solutions and encryption technology.
Soon after that post went live, I received a comment from Andrew Westberg, a member of the Nitro-LM team I suspect, saying that the Nitro-LM tool that I tested was an outdated product. I proceeded to obtain the latest codebase, Version 20091111, from Nitro-LM and found that it was no different from the code that I tested. Several days later, Nitro-LM released a new codebase, Version 20100422; unfortunately, it was just the same codebase obfuscated by a trial version of the Amayeta SWFEncrypt.
Since I have nothing against Mr. Westbery personally, and I have never heard of Nitro-LM until recently, I decided not to pursue the matter further. I did the test, I found the answer, and I shared my findings with others who may be shopping for an intellectual property protection solution so that they can make an informed decision. I also secretly hoped that Nitro-LM would take notice of my post and would redesign their product to address its problems. After all, the Nitro-LM tool does offer other useful features, such as license management, besides encryption.
Therefore, I was very disappointed when I receive a DMCA takedown notice, informing me to remove the Nitro-LM post. It is apparent that the Nitro-LM team is more interested in covering up their flaws than to invest in researching and improving their product. Who uses a trial version third-party tool to encrypt their production version codebase? Why bother with the DMCA takedown notice if the version that I have tested was indeed outdated?
I have considered reposting the original article and adding other security flaws that I have discovered since the original post, but I have better things to do than dealing with lawyers. I hope this post would serve as a warning for other developers. It is now clear, more than ever, that Nitro-LM is a failed product built on a flawed architecture and maintained by a team of uninspired developers who are more interested in talking with lawyers than in exercising their minds. I will continue to test other products, and hopefully, I will be able to recommend a truly dependable intellectual property protection solution soon.
[Update]
Note to Nitro-LM: As I said, your product has some interesting and useful features, other than the encryption part, and I would love nothing more than to see this product evolve and mature. I am disappointed to see the DMCA takedown notice, but I do not want to become your "enemy". I am always open to discuss ideas and share experiences on intellectual property protection, as one friendly developer to another.
No comments:
Post a Comment