Password protected cluster opening solution

Hi,

you forgot your password[ I always do ] here is the solution. The cluster provided can not be opened.

have fun

Mike

Replies to This Discussion

Permalink Reply by David Rutten on February 15, 2013 at 6:30am

Please don't publicly post ways to defeat the limited protection cluster passwords provide. You can post them on your own blog of facebook page or whatever, but I'll remove them when they are posted here.

A word to the wise; if you want to be able to open your cluster without entering a password, DON'T PASSWORD PROTECT THEM.

David Rutten

david@mcneel.com

Poprad, Slovakia

Permalink Reply by Rémy Maurcot on February 15, 2013 at 8:48am

Thank you david. Very good reaction.

It would be unacceptable for someone to unlock a password cluster.

I am ready to deploy a plugin made entirely with cluster.
I'd be really shocked that this kind of code to unlock a cluster.

Regards

Permalink Reply by David Rutten on February 15, 2013 at 10:02am

Well, as Michael has proven it's not too difficult to break this protection if you're a good programmer. Security surrounding cluster passwords can never be watertight as Grasshopper needs to be able to unpack and run the cluster data without the user entering a password.

As passwords are only required to view or edit a cluster, they are 'after-the-fact' measures. In response to michael's solution I added an extra layer of protection* which will invalidate the exact methodology he used (at least every individual release will need a different hacker-script), but there will always be ways to get around this.

* basically the code that he cracked will now be automatically and randomly changed every time I compile Grasshopper

David Rutten

david@mcneel.com

Poprad, Slovakia

Permalink Reply by Rémy Maurcot on February 15, 2013 at 10:10am

Thank you very much david.
If I use a complex password, michael code still work?

Another question:
What happens if I insert a gha in a cluster.
The gha contained an information license.
If the person wants to crack this cluster, at least fake it is gha with an active license?

Permalink Reply by David Rutten on February 15, 2013 at 10:28am

Michael doesn't crack the password*, instead he copies the document inside the cluster which is already unpacked and running and moves all components into a new document. This completely circumvents the password protection.

How would you insert a GHA into a cluster? A GHA is a dll with a different extension that contains data types, parameters and components derived from Grasshopper SDK types.

I'll stress that there's really no way to stop clever people from hacking your files. It cannot be done. You can make it very difficult and you can demand legal agreements to be entered into which makes it factually illegal to disassemble your work. Grasshopper was never designed to be a secure platform, it was always my intention to make it easy to use and to develop for Grasshopper. I disliked the idea of password protection (in part because I knew that it could never be very secure) but too many people requested it and it could no longer be ignored. My personal feelings regarding obfuscation and password protection are outlined in a blog post if you want to read them, I shan't repeat them here.

* That really is impossible unless via a dictionary attack, and a dictionary attack only works if your password is likely to be on some database somewhere. For example if your password is "Horse" then there will be a 'dictionary' out there which lists it. By trying all words in these digital dictionaries eventually the password may be found. If however your password is "PresidentLincolnWasKilledUsingHorseRadishFlavouredBubbleGum" then nobody is ever going to try it.

David Rutten

david@mcneel.com

Poprad, Slovakia

Permalink Reply by Andrew le Bihan on February 19, 2013 at 1:01pm

Until now.

Permalink Reply by Richard Schaffranek on September 2, 2016 at 4:36am

Hallo David,

totaly agree on your blog post, however a client for whom I develop customised userObjects wants protection. I would like to understand the logic of the password protection implmented in user objects. where are the limits, e.g. is it possible to manipulate the a ghx file to overcome the protection?

if answering here goes to fare:

richard.schaffranek@gmail.com

thx

Richard

Permalink Reply by David Rutten on September 2, 2016 at 5:42am

UserObjects are not actually things, they are just files that cause Grasshopper to insert regular objects, most often script components or clusters.

The cluster must be able to decode the document inside of it and make it run without a password, which means that part of the process cannot be made secure. This document is loaded and must be stored in some variable somewhere, so it'll always be possible to access this variable and extract the document.

The only thing the password protection does is make the UI for manually viewing/editing the cluster conditional. This will only stop people who do not know how to use .NET Reflection.

Permalink Reply by Richard Schaffranek on September 2, 2016 at 6:03am

More specific:

Manipulating on the level of the ghx file doesn't work?

To use Reflect, I would need to load the file first with Grasshopper or a customised reader that can read Grasshopper files?

When done with Grasshopper which events fire when loaded?

Permalink Reply by David Rutten on September 2, 2016 at 6:30am

Manipulating on the level of the ghx file doesn't work?

That is correct. Since Grasshopper must be able to load the cluster data without asking for a password, it is mathematically impossible to secure the data.

To use Reflect, I would need to load the file first with Grasshopper or a customised reader that can read Grasshopper files?

That would be by far the easiest solution. If a password has been set the bytes describing the cluster file actually are encrypted using the hash of the password as a key, but all this does is throw more obstructions in the way of a cracker, it cannot logically stop them. If you let Grasshopper load the cluster it will do all the hard work for you at which point you just have to harvest the document variable.

There is something you might be able to do to add even more obstructions, and that is to create a special component using Visual Studio which sidesteps GH solution logic and which will crash Rhino+GH if ever it is drawn on screen without some additional condition being met that would identify the computer in question as the developer machine.

You can probably spend 6 months coming up with ever more intricate ways to make life difficult for crackers, but you have to ask yourself whether that is a worthwhile way to spend your life.

Permalink Reply by Richard Schaffranek on September 2, 2016 at 9:14am

THX, my advice to them is more or less what you said in your block post. However sometimes you have to do what the person who pays asks you to.

Permalink Reply by Aaron M. Ryan on April 29, 2015 at 6:53pm