andrew@alberta.UUCP (Andrew Folkins) (06/26/85)
In article <11330@brl-tgr.ARPA> ron@brl-tgr.ARPA (Ron Natalie <ron>) writes: >> What you get with the package is a small plastic >> gizmo that plugs into the HP-IB connector on your 150. > >There's a generic name for the gizmo that "key" you plug into the >micro that the software checks for, but I've forgotten what it is, >can anyone help. > >-Ron From "Unveiling the Pirate, Part 1: Current Methods", by Richart T. Evers published in _The_Transactor_, Vol 5, #3, pg 41. ---------------------------------- Dongle Protection This form of protection is my personal favorite. You have at least a fighting chance against the pirate with this one, with the victor often the manufacturer. In case you are unsure what dongle protection is, let me explain. A dongle is a rude name for a hardware apparatus that is plugged into your computer. [Details about Commodore machines] Now for the explanation of what they do. Inside the dongle can be found anything from one piece of wire to a complete assortment of electronic components. For an added thrill, use the results generated by the dongle in the calculations and operation of the program itself. Anything from timers or pulse multipliers to frequency generators or filters can be included. Therefore, even if the hacker can manage to stop the program from checking for the dongle, the program may never work properly again. ---------------------------------- This section of the article continues with methods for making the dongles themselves unbreakable, including : - Extra components and obscure wiring to make X-rays difficult to interpret - Removing identification markers from the components to prevent identification if the dongle material is easily removable - Use a tough material to encase the components. The author recommends methyl methacrylate (denture material), as it is impervious to solvents and heat, "the easiest and least expensive being Tray Material". It costs about $8.00 per pound, and it could be difficult to obtain as the dental profession frowns on outside sales. "Try a few of the smaller dental supply companies, or smaller dental manufacturers. These companies will often deviate from normal procedures, with the correct amount of prodding." - "Place a few very important thin wires throughout the material itself. Once the chipping begins, these wires will be cut by the illustrious chipper, thus making the dongle useless." ------------------------------ I agree that this type of protection has many advantages. The author makes several points : it is easy for the user to install (or should be), it is easy on his hardware because the programs do not (should not!) need to be copy protected so there is no head-banging on the part of disk drives trying to read non-standard disk formats, and, if the dongle is sophisticated enough and is actively used by the program, it becomes prohibitively expensive to break the program and quite difficult to copy the dongle. It also allows the user to make as many back up copies as he wants, which is one of the major problems with copy protected software ("Sure, send us _your_ copy and we'll send you a replacement for $50.00 when we get around to it . . .") . One only hopes that manufacturers are kind enough to put the name of the program on the dongle, it would be fun sorting through a drawerful of these things trying to find the right one. -- Andrew Folkins ihnp4!alberta!andrew Underlying Principle of Socio-Genetics : Superiority is recessive.
jabusch@uiucdcsb.Uiuc.ARPA (07/02/85)
This is just the sort of thing that is most distressful about the current state of software development. It seems that a lot of companies are placing more time, effort and money into copy-protection schemes than into useful software research. Just think how far the most powerful programs that are popular today might be by now if all the software protection was forgotten and someone actually concentrated all their efforts into the software itself. I guess that's too much to ask since so few seem to think that this is the way to go. Instead you get all of these brain-damaged ideas for hardware protection and software protection. I wonder how many of these people feel that they should flame Intel for segmentation? [ these are solely my views ] John Jabusch CSNET: jabusch%uiuc@csnet-relay.ARPA
andrew@alberta.UUCP (Andrew Folkins) (07/04/85)
In article <5100077@uiucdcsb> jabusch@uiucdcsb.Uiuc.ARPA writes: > This is just the sort of thing that is most distressful about >the current state of software development. [...] Just think how far the >most powerful programs that are popular today might be by now if all >the software protection was forgotten and someone actually concentrated >all their efforts into the software itself. > >[ these are solely my views ] John Jabusch > CSNET: jabusch%uiuc@csnet-relay.ARPA Hmmm. I agree that dreaming up exotic protection schemes may lower the overall quality of the program due to the extra work done by both the program and the machine, but when you compare the amount of effort that goes into a major product to what it takes to protect it, there shouldn't be that much effect. If there is, then you should have serious doubts about the program ("Who cares if it's buggy? It's unbreakable!"). The point is, there are always going to be some authors who will want to protect their software, and in my opinion, when you have to protect your software, the dongle scheme (who thought that stupid word up, anyway) makes a lot more sense than any of the other methods around. Personally, I think freeware is a great idea : no overhead! -- Andrew Folkins ihnp4!alberta!andrew Underlying Principle of Socio-Genetics : Superiority is recessive.
jabusch@uiucdcsb.Uiuc.ARPA (07/06/85)
I agree that software protection is probably not the major cost in development, but look at recent developments like "ADAPSO", which is a new organization designed to combat piracy. I can understand their concern, in that they might not be making as much money as they could if no piracy exis- ted. However, there was a recent survey done (I think by Lotus Development, but I'm not positive), aimed at determining the amount of piracy going on out there. Their claim was that more than 50% of software out there is pirated! I seriously doubt that they took into account all of the public domain software, or else their sample questionaire probably had something like: How many software packages do you own/use? How many of the above did you pay for? How many of the above did you copy from someone else? I find it very hard to believe that it might have gone deeper than this, because the purpose of the survey was to support the need for legal recourse for piracy, else it never would have been funded by those who did it. Look more closely at "ADAPSO". I am looking at an ad from a new "Lotus" Magazine, Vol. 1 number 3, which has been in our office for a couple of days. There is a full-page spread describing the illegalities behind software piracy. They are offering free pamphlets if you call or write. Where is all this money coming from? I seem to recall that this organi- zation was put together by Ashton-Tate (dBASE II/III) and Lotus and a few other major software vendors, although I might have mixed these up. Nonetheless, it takes capital to start this, and where could it have come from but from the profits of some software vendors and other interested parties. One of the earlier articles I read on ADAPSO stated that ADAPSO would be combating piracy and researching new copy protection methods. This falls into the same category as spending a lot of money on protection and increasing the overall price of the package, even if the research and design that went into the package was only slightly effected by the protection scheme. ADAPSO also claims "There are legal, moral and economic impera- tives forbidding theft of copyrighted software." I agree with this, of course. I too would like to make a profit on software that I develop. I tend to think that Borland has the right approach, though. A short article in a recent PC magazine claims that before Borland came along ith Turbo Pascal, there were market surveys that indicated a total market potential for 30,000 pascal compilers. That was based on the available compilers and development systems then available, which ranged from $300 to $700. Then along comes Borland, and sells over 300,000 copies! Doubtlessly there are pirated copies of Turbo floating around out there, but how many people would bother to steal a copy when they can have a legitimate copy plus a real manual, etc. for around $50? I know there are the die-hard pirates, but it doesn't matter what anyone attempts to do, they'll find a way to undo it. Corporate pirating is a more serious matter, as it is done by a company simply because the software can cost easily twice the price of the machine. How many software vendors out there that carry very popular packages support site-licensing? I can tell you the answer from my own research: very, very few! I have put together a quantity of business systems recently, and the average cost of the hardware for IBM-type machines has been around $5000 to $6000. Notice that I said "average". The software prices have ranged from $1500 to $8000. Software developers have an even higher cost, as they need to either purchase a good set of development tools or write their own. If a company could get a site license, such as is available with the Unix license, then they could add more machines to increase their level of automation and still pay the same price. Usually the concern is to provide enough machinery for the level of automation desired, and then very little is left over for software, respectively. This happens all to frequently when a company with no experience in automation tries to make these types of decisions without qualified help. I could see providing software on a site license and then selling manuals and other niceties like keyboard overlays at quantity discounts. This is a great way to prevent piracy. If a company has a site license, then it is indeed hard to make extra copies of the software to use at that site and call that piracy. The vendor gets the desired money, and can sell manuals at decent prices for those who need them. Even the most expensive manual around would probably cost less than $75 if it fits into a single 6"x9" binder. How about moral issues? I have seen some of the most immoral things going on recently in software sales. Look at IBM's shrink-wrap agreement, or Lotus', or MicroCad's, or ..., etc. Most of them have the same thing in common: *no* guarantee that there is software on the diskette! Legally, if the shrink-wrap issue becomes law, then any of these that are left this way cannot be pursued by the legal system, in case of actual problems, depending of course, on regional laws governing consumer protection. You can claim all you like that no company would refuse you a second copy of the product if the disk is blank, but think about that. What if they did? What is your recourse? What if you get a buggy version that trashes your hard disk? Again, recourse? Myself, I resent paying upwards of $300 for a diskette that is guaranteed against physical failure and a manual! I want the software and some sort of update policy for fixes! I don't want to have to argue with a vendor that their software has a bug and is unacceptable, I want to be able to discuss the fixes in a reasonable manner and be sent a low- cost replacement. If you bought a book and it had a page missing, the bookstore would replace it. If you bought a stereo and the tuner died in a two days, then you would take it back and have it fixed under war- ranty. The warrantees for items like this are printed right in the owner's manual, while the warranty for software that comes with the packages mentioned is really a disclaimer for liability of any kind. It's easy to give warranties for physical properties of diskettes when that is supported by the disk's original manufacturer! How about guarantees of your own product? If I made something for someone and sold it to them, and it failed in a very unreasonably short time, then I would feel obliged to fix it! If I made a large quantity, I would then be selling them with a written warranty, with a reasonable time limit for expiration. A lot of these vendors are doing just the opposite. There is no implied or expressed guarantee that their soft- ware owrks or is accurate or will do the job they claim or is even on the disk. That is *the most immoral thing* I can see in the industry. It extends beyond the immorality of piracy, if you can argue by degree. And yet the vendors claim that they are being hurt! Who's offering any protection or care for, or professional pride in their dealings with the consumer? In my opinion there is far more at stake here than piracy, even though it is indeed a major concern. Copy- and consumer- protection are being placed on opposing sides, with the innocent user bearing the brunt of the punishment. These are my opinions, and others have the right to agree or disagree, etc. (all of the usual disclaimers) John W. Jabusch CSNET: jabusch%uiuc@csnet-relay.ARPA UUCP: {ihnp4,convex,pur-ee}!uiucdcs!jabusch USENET: ...!{pur-ee,ihnp4}!uiucdcs!jabusch ARPA: jabusch@uiuc.arpa
forbus@uiucdcsp.Uiuc.ARPA (07/07/85)
"Dongles" are a truely silly idea. They have the same bug the "key disk" idea has -- what if your "dongle" gets trashed? Same scenario: 9 PM friday evening, report which must be finished by Monday morning, dog chews dongle to pieces. Or if a kid thinks of the dongle as pretty thing to play with and loses it...I cannot imagine rational people buying software that requires such crud.
fetrow@entropy.UUCP (David Fetrow) (07/09/85)
> > "Dongles" are a truely silly idea. They have the same bug the "key disk" > idea has -- what if your "dongle" gets trashed? It's a matter of degree though. A key disk is ridiculously suceptable, a dongle only moderately so. For a copy protection scheme it's relatively innoculous.
frans@duvel.UUCP (Frans Meulenbroeks) (07/10/85)
Let me give my *very personal* opinion: I've heard estimates that for every popular program 1 to 5 pirated copies exist. While I don't believe the latter, the former may be quite accurate! I think there is a hell lot of copying going on in some areas. In some countries copying software even seems to be legally allowed. Of course not every owner of a pirated copy would have bought one, if he/she had to pay the full price for it. But still I think a lot of pirated copies remain. I think that some protection must be there, especially for the more advanced/expensive packages. It takes a long time to develop and test such a package, and the company who makes such a piece of software should be paid for it. I, at least, wouldn't accept that people stole the profit, I worked so hard for. (Isn't that the way an American newspaper boy becomes millionaire? :-).) I know that developing protection mechanisms costs time and money. However, I don't think that it is the money of the customer. Protection is in his advantage, because it reduces piracy, and thus boosts package sales. This may actually lead to price reductions! (Remember the old economics law: greater volumes; lower prices). Of course, I think that time spent on developing mechanisms could be used better. But if a product is undersold due to piracy, the company which developed such product may cease to exist, instead of developing better products. Also, I think that a customer needs backup copies (just in case that one spills coffee over it). Therefore I think that the dongle approach is much better than schemes that rely on physical copy protection. Of course one can also lose ones dongle (or it can be chewn up by ones dog). That's a problem, but it shouldn't be overemphasized. If you lose your dongle that's just bad luck. (Compare it with cars: Do you expect that G.M. gives you a free car just because you lost the previous one?? Why expect a different policy from software companies?) If you want to be really safe, then you'll have to buy more copies, just like you need to buy more cars, if you *must* have access to a car at any time. I think that protection is just needed, for the time being. Of course, I would like the disappearance of the need for protection. And yes, I am for freeware, but I think, that freeware doesn't work in case of rather expensive; specialized packages. One final note: shrink-wrap agreements are just not valid in a lot of coutries yet. I'm really not sure if they are legal in the Netherlands or not. However in any case I'm pretty sure that all shrink-wrap agreements in English won't be valid in the Netherlands, just because dutch people are not required to speak English. <These views are my own and do not represent the views of any company I've worked for, or ever will work for (including my own :-)) bla.bla...> P.S.: Does someone know a good book concerning protection mechanisms; the advantages and disadvantages of various methods and so on? (or do I have to write my own :-)) -- Frans Meulenbroeks, Philips Microprocessor Development Systems ...!{seismo|philabs|decvax}!mcvax!philmds!frans
nclee@sbcs.UUCP (Nai Chi Lee) (07/10/85)
> Protection is in the customer's advantage, because it reduces piracy, and > thus boosts package sales. This may actually lead to price reductions! > (Remember the old economics law: greater volumes; lower prices). > The economics law I rememberd is: ( supply < demand ) ==> higher-price > If you want to be really safe, then you'll have to buy more copies > OK, here is my prediction -- Week1: all softwares are copy-protected by a perfect scheme: the computer will explode if one try to do a "copy" or "diskcopy" Week2: customers panic, rush out to buy more copies as back-up; Week3: software companies double all prices (since the demand doubled) Week4: new market drops to half (due to the high prices); Week5: software companies double all prices again (since sales halved) Week6: new market drops further Week7: software prices rise further and so on and so on and so on ...
forbus@uiucdcsp.Uiuc.ARPA (07/12/85)
I totally disagree that there is a "need" for protection, and quite frankly do not believe the statistics quoted concerning piracy. There are a number of companies who make excellent products and do not perceive the "need" for copy protection. Among them are: Mark of the Unicorn (Final Word) SORCIM (SuperCalc 3, SuperProject) Trigram Systems (MicroSpell) Hayes (Smartcom II software) Borland International (Turbo Pascal, Sidekick, SuperKey) XYplus (XYwrite) Applied I (Tutsim) Data Transforms (Fontrix) Furthermore, they all seem to be doing pretty well in the marketplace. So why, for heaven's sake, would I want to buy software that made me carry around a stupid dongle? As users get more and more sophisticated they will be less and less willing to put up with this sort of nonsense.
mwf@mtgzz.UUCP (m.w.field) (07/13/85)
Remote Systems Inc of VA make a line of devices called secureware for the PC. These consist of a (in ADAPSO terminology) a keyring, a carrier that communicates to your serial or parrallel port into which you plug keys. The key is some kind of device that has your serial number on it. (Call Arly Wright (703) 734 8250) Another version plugs directly into an expansion slot. I am not very impressed with the security offered by these (expensive) devices. I think a programmer armed with DEBUG could defeat them given a little time. They do offer the user the ability to make back up copies though. I am not sure which gives me more more pain using this device or having software copied. A recent report I read said that the only effective hardware security device was something that was an integral part of the program, such as a mouse controller used because your software uses that kind of device. Life is unfair things are much easier for hardware manufacturers.
jabusch@uiucdcsb.Uiuc.ARPA (07/13/85)
I agree with Lester Waters. The age-old economic laws also state that greater demand for a given product causes competition for that product, yielding higher prices until the supply of that product is raised sufficiently to reduce competition or until demand decreases. When com- petition between consumers for a product or service is low, then consump- ion of the product or service decreases and prices decrease in an attempt to increase sales. Consumers do indeed see the results of copy protection costs to the vendor. Who else is going to pay the price? Vendors don't get their money from trees. The money always comes from the consumer, whether it is easily seen or not. It works like this: Vendor invents software... large design and development costs. Then vendor tests software. Then vendor invents copy protection scheme or uses licensed version from some- one else. This costs the vendor, no matter how it is done. Now vendor has a product to market, but needs to decide on cost for consumer. First, vendor estimates what the software cost to develop, package and market. Next, the vendor estimates total market for the product. (how many might be sold) Third, the total costs for the product, plus advertising is spread out over all estimated copies sold. This might work out to be a high or low number, depending on how specialized the product is or how high the development costs were, etc. This value is used as a low-end price estimate, since it is necessary to make at least this to clear a profit. Lastly, the vendor then tries to estimate how high a price the market will bear. This is usually used as a more realistic price, and almost always comes out higher than the cost of the product, since other- wise the product is not profitable to market. Then the price is actually placed on the product. It is not always as high as the market will bear, just to help with larger quantity of sales. However, remember that the software market is not truly elastic. Anyway, it *is* the consumer that pays for the protection. It *is* the consumer that puts up with the protection. It *is* the consumer that cannot make sufficient backups. It *is* the consumer who gets no flexibility in his/her system configuration, due to protection schemes. It *is* the consumer who is forced to buy extra protection-hardware. It *is* the consumer who has to have a floppy disk on his/her system. How many of you out there would buy a small Unix-based system if all the products (software) which you wished to run required that a key- floppy be in the floppy drive? Wouldn't this just tend to get in your way, too? I am not saying that there is no reason for copy-protection, but that since there is no reasonable scheme which allows all users to make do with a package, then there should be no protection on that package. It is utterly ridiculous to think of a book with a lock on it. It is also ridiculous to simply submit to these protection schemes which force you to make do with a less-than-desirable system. What good does it do to have a hard disk if you still have to have the floppy to load files? (or to check?) The hard disk has a purpose to most buyers: faster file access, larger storage capabilities, escape from cumbersome floppies, escape from disk-swapping, etc. These have all been hurt somewhat by various protection schemes. Software that won't load onto the hard disk is useless for this type of user, but how is he/she to tell unless the package indicates what type of protection is in the software? Too many tales of this kind abound. To meet their requirements, some consumers buy the 'backup' copying packages. Of course, pirates do, also. Nonetheless, there is no real reason for the innocent consumer not to do so. If you, the consumer, wanted to keep a quote from a book readily at hand, you might copy it and place it in a file. If the book was a professional book which you referred to often, you might be seriously delayed or your productivity might be decreased if your copy was accidentally marred or irretrievably lost. Software is *far* more volatile than paper. If your software is lost due to disk error or whatever, then you have to either return the diskette, hoping for a reasonable reaction from your local retailer, or mail it to the vendor, again hoping for a reasonable reaction and quick response, or more appropriately, just get out your backup copy and continue working. As it stands, the solutions are far from adequate for both the consumer and the vendor. However, it is the innocent consumer that has to absorb the brunt of the problems with costs and copy-protection schemes, etc. I'm glad that not all vendors support copy protection and I'll continue to support them as long as humanly possible. These are my views, not those of my employers, etc. John W. Jabusch CSNET: jabusch%uiuc@csnet-relay.ARPA UUCP: {ihnp4,convex,pur-ee}!uiucdcs!jabusch USENET: ...!{pur-ee,ihnp4}!uiucdcs!jabusch ARPA: jabusch@uiuc.arpa
frans@duvel.UUCP (Frans Meulenbroeks) (07/17/85)
In article <5100083@uiucdcsb> jabusch@uiucdcsb.Uiuc.ARPA makes a case
against copy protection. Without actually quoting him, I'll comment
on some of his objections.
Of course software protection costs the customer money, however
indirect it may be. But as you point out, the base-price of a package
depends on the estimated number of copies sold. This estimate is higher
if there is a *good* protection scheme available. So there is at least
some justification for the statement that more copies (expected to be)
sold *may* lead to lower prices.
I agree that copy protection is not a good way to go. I agree with your
objections against it. But therefore I am proposing to use a dongle!
This makes it possible to copy the software onto everything, and one
can create as many backup copies as one wants. But one can only use
one copy at a time, because the dongle is needed to run the package.
This dongle can be placed anywhere in the system. A dongle is much
less vulnerable to destruction than a floppy, and therefore more
acceptable I think. For those who still want a backup dongle:
Do you also have a backup PC??
The main disadvantage, I see, is that every product uses its own dongle,
and therefore one has to switch dongles too often. Therefore, the dongle
might (must?) contain a unique serial number, where all packages (at
least from the same manufacturer) check for. Badly enough IBM didn't
build serial numbers inside the PC.
If you are still complaining about the few bucks, copy protection
*might* cost you, then you should *never* consider buying a system with
a serial number built in (like a Sun), because that also causes extra
cost. (Actually you should never buy a PC, because that logo on the
monitor and cabinet cost money, and there is no use for it :-) (except
for snobs :-):-))) Are you also complaining when your system has an I/O
port which you will never use???
I advocate the following protection scheme:
Protection is done by checking for a unique serial number.
This makes backup copies possible.
If that serial number is not standard available, then a dongle with a
unique number is given *for free* when someone buys its first package.
They can be given for free, because good protection gives extra profit.
The next package he buys for the same machine, will check for the
same number.
Of course this scheme is not completely safe. But any scheme can be
defeated with enough effort. Its something, and it imposes no backup
problems.
Any objections (except dongle cost)?? Better ideas? Major defects?
--
Frans Meulenbroeks, Philips Microprocessor Development Systems
...!{seismo|philabs|decvax}!mcvax!philmds!frans
dmimi@ecsvax.UUCP (Miriam Clifford) (07/17/85)
The use of a built-in serial number for each machine can work very well, BUT-- Suppose I replace a machine with another that will run the same software? Do I then have to get all new copies of any software I'm using? Or will there be (in all cases) an easy, quick way to re- register the software so I can still use it on the new machine? Or am I forced to buy all new software, even though I'm still using it on only one machine albeit a different machine? {decvax,ihnp4,akgua}!mcnc!ecsvax!dmimi Mimi Clifford 2535 Sevier St Durham, NC 27705 919-489-4821 919-684-2854 (Wed)
hes@ecsvax.UUCP (Henry Schaffer) (07/17/85)
Checking for serial numbers in the machine or in the dongle can be extremely limiting. I believe I have a right to carry a program home with me to use there (or I might buy a new machine as ecsvax!dmimi pointed out) - I can carry the dongle with me, but what if that one dongle is needed for two programs, and I'ld like to leave one at work for other people to use. Or at work we may have several programs from one vendor, but we'd like to use them on different cpus - this couldn't be done if they all needed the same dongle or serial number. --henry schaffer
slerner@sesame.UUCP (Simcha-Yitzchak Lerner) (07/18/85)
> > I am not very impressed with the security offered by these (expensive) > devices. I think a programmer armed with DEBUG could defeat them > given a little time. They do offer the user the ability to make > back up copies though. > > I am not sure which gives me more more pain using this device or > having software copied. > > A recent report I read said that the only effective hardware security > device was something that was an integral part of the program, such > as a mouse controller used because your software uses that kind of > device. > > Life is unfair things are much easier for hardware manufacturers. As the Principal Engineer of ADAPSO's "Software Authorization System (SAS) Proposal", I would like to make a few BRIEF comments in response to your remarks. 1. The proposal does not include any details of the protection mechanism. The design of a software lock/hardware key combination is entirely up to software vendors and/or 3rd parties. The SAS is ONLY a proposed communications standard. When I first investigated the situation of hardware protection devices, there were 125 (!) different products either in planning or production. They all had some similarities, and almost all could not co-exist on the same system. To avoid the horror of replacing the swapping of coded disks with the swapping of hardware devices, ADAPSO developed a proposed communication standard so that all these devices could co-exist. (Many other benefits -- particularly cost savings -- evolved from ADAPSO's work, but I will not bore you with the details now) 2. "Any programmer with debug will be able to defeat this type of system." This is NOT correct. While a poorly designed software lock could be defeated this way, most manufacturers that I have talked to are putting in a few features that will make this very difficult if not impossible: A. The program generates a random "question" which is sent to the key. The key returns an answer which is verified by the host. B. A part of the program code and/or structure is stored in the key for downloading. Some more adventurous firms are actually having several critical routines (of an inobvious nature) execute WITHIN the key. C. Almost all firms are planning to design a key so that it could not be shared by multiple machines via a "Y" connector or similar machination. As far as cost, the key ring (central comunication device of which a PC need only one for use of several key simultaneously) will cost in the $25-75 range, depending on features, number of slots, etc. The cost of a key will vary by complexity, but cost (to S/W vendor) will be from $4 on up. For those wishing more details, the proposal is in the final stages of preparation. Copies will be available via ADAPSO. (I would offer to post it except that it would be lacking too many critical diagrams...) VIEWS EXPRESSED HERE ARE NOT NECESSARILY ANYONE'S, PARTICULARY THEY ARE NOT NECESSARILY THE VIEWS OR OPINIONS OF LOTUS DEVELOPMENT CORP. -- Simcha-Yitzchak Lerner {genrad|ihnp4|ima}!wjh12!talcott!sesame!slerner {cbosgd|harvard}!talcott!sesame!slerner slerner%sesame@harvard.ARPA
mjg@ecsvax.UUCP (Michael Gingell) (07/18/85)
Software protection, is like Airport Security - a pain but sometimes neccessary to prevent the excesses of human nature. We all have to suffer as the result of the actions of some irresponsible individuals (and companies in some cases !). I hate software protection but I have seen the pirates in action and I can understand but not sympathise with the vendors who charge an arm and a leg for a package that costs less than $20 to make in quantity. I read recently that Lotus is a $100M a year corporation - all that from one package that probably cost 1% of that to create. It is reasonable to charge a price which allows you to recoup your costs, pay the shareholders and plough back some money into new developments but I think the consumer sees the prices charged as excessive and feels that for a product where you give up most of your rights just by opening the box and looking at it the manufacturer deserves to be ripped off. (Sorry, I got carried away.) The above are my personal opinions and are not meant to reflect discredit on any particular company or individual. (This is my "Software disclaimer"). Mike Gingell ...decvax!mcnc!ecsvax!mjg
dick@ucsfcca.UUCP (Dick Karpinski) (07/20/85)
In article <94@duvel.UUCP> frans@philmds.UUCP (Frans Meulenbroeks) writes: >The main disadvantage, I see, is that every product uses its own dongle, >and therefore one has to switch dongles too often. Therefore, the dongle As one of the (probably parallel) inventors of the dongle, I can say that this problem was thought through. First, any dongle should only respond when the port is not otherwise being used, eg only when DTR and DSR are both off. Secondly, it should respond only to a specific request sequence. Thus if you have six of them, one after another in a daisy chain, each will respond only to its own software and all will be well. OK? Dick -- Dick Karpinski Manager of Unix Services, UCSF Computer Center UUCP: ...!ucbvax!ucsfcgl!cca.ucsf!dick (415) 666-4529 (12-7) BITNET: dick@ucsfcca Compuserve: 70215,1277 Telemail: RKarpinski USPS: U-76 UCSF, San Francisco, CA 94143
slerner@sesame.UUCP (Simcha-Yitzchak Lerner) (07/23/85)
> The use of a built-in serial number for each machine can work very > well, BUT-- > > Suppose I replace a machine with another that will run the same > software? Do I then have to get all new copies of any software I'm > using? Or will there be (in all cases) an easy, quick way to re- > register the software so I can still use it on the new machine? Or > am I forced to buy all new software, even though I'm still using it > on only one machine albeit a different machine? > The advantage of key/key ring systems, as proposed by ADAPSO, is that all protection hardware is EXTERNAL to the machine, and therefore easily transported in the event of either hardware failure or the software being used on a few machines in a non-simultaneous method. ---------------------- PS: for those wanting the address to contact ADAPSO for the soon to be released proposal for a communications standard for h/w protection devices, please contact them at: Becky Spenser ADAPSO (Association of Data Processing Service Organizations) 1300 North Seventeenth Street Suite 300 Arlington, VA 22209 USA Included in the proposal will be several implementation SUGGESTIONS to help assure a more robust protection system than is currently used (make the system patch resistent, non-sharable, etc.). -- Opinions expressed are public domain, and do not belong to Lotus Development Corp. ---------------------------------------------------------------- Simcha-Yitzchak Lerner {genrad|ihnp4|ima}!wjh12!talcott!sesame!slerner {cbosgd|harvard}!talcott!sesame!slerner slerner%sesame@harvard.ARPA
revc@gwsd.UUCP (Bob Van Cleef) (07/26/85)
Another company without copy protection is MicroPro. They had a copy protection scheme on WordStar 2000 and removed it because of customer demand. (Note: According to the local MicroPro Rep., if you have the old version and did not register it, you did not receive the FREE upgrade to the non-protected version.) Does anyone know what impact that policy change had on: Their corporate image. Their sales. Their profitability. Bob -- Bob Van Cleef ...sdcsvax!gwsd!revc Gateway Computer Systems (619) 457-2701 4980 Carroll Canyon Road San Diego, CA 92121
che@ptsfb.UUCP (Mitch Che) (07/27/85)
In article <200@sesame.UUCP> slerner@sesame.UUCP (Simcha-Yitzchak Lerner) writes: >As the Principal Engineer of ADAPSO's "Software Authorization >System (SAS) Proposal", I would like to make a few BRIEF comments >in response to your remarks. > ........ > >2. "Any programmer with debug will be able to defeat this type > of system." This is NOT correct. While a poorly designed > software lock could be defeated this way, most manufacturers > that I have talked to are putting in a few features that > will make this very difficult if not impossible: > > A. The program generates a random "question" which is > sent to the key. The key returns an answer which is > verified by the host. > > B. A part of the program code and/or structure is stored > in the key for downloading. Some more adventurous > firms are actually having several critical routines (of > an inobvious nature) execute WITHIN the key. > Unfortunately, the same drop in price ($) of silicon technology (e.g. ROM, etc) that make dongles economical is going to make intelligent "peripherals" which passively monitor the RS-232/dongle link and learn the "protocol" relatively cheap (compared to the software+dongle). (I can see it now, CopyXVI PPC!! Think about the problems trying to stop the sale of these on the grounds they're used for pirating-- "Yes, your honor, we're just selling advanced datascopes. We can't control how they're used... Yes, they are beauties, why you can even upload/download instructions to them...") Hmm, now if you can figure out a way to sell the software to the user but not let him/her have it at all, you may have something. (After all, users are just such vile, bothersome creatures.) -- Mitch Che Pacific Bell --------------------------------------- disclaimer, disclaimer, disclaimer, too (415) 823-2438 uucp: {ihnp4,dual}!ptsfa!ptsfb!che
mojo@well.UUCP (Mojo Jones) (07/30/85)
In article <138@gwsd.UUCP> revc@gwsd.UUCP (Bob Van Cleef) writes: >Another company without copy protection is MicroPro. They had >a copy protection scheme on WordStar 2000 and removed it because >of customer demand. > >Does anyone know what impact that policy change had on: > Their corporate image. > Their sales. > Their profitability. > I'm not in a very good position to judge the impact, but I think removing the copy protection was the best thing we could have done. Nothing can undo all of the damage done by releasing it copy protected to begin with. But later reviews of ws2000 are significantly better than earlier ones. On the other hand, our sales and profitability are a matter of public record. Our last quarter, ended May 31, was our first profitable quarter of the past four. Revenues were slightly higher than the previous quarter, and lower than the same quarter from the previous year. --- Mojo ...is Morris Jones, MicroPro Product Development {dual,hplabs,ptsfa,apple}!well!micropro!kepler!mojo
peter@kitty.UUCP (Peter DaSilva) (08/01/85)
If you're going to put part of the code in the dongle, why not put ALL of it in the dongle? I mean, cartridge software is reliable and fast to load, and with todays PROMs you can get quite a lot of code in one. Of course you can't call it a cartridge, because then people will think "GAME MACHINE". How about "THEREWARE", because it's always their waiting for you? But then you'ld have to worry about all the hackers with PROM burners.
slerner@sesame.UUCP (Simcha-Yitzchak Lerner) (08/02/85)
> If you're going to put part of the code in the dongle, why not put ALL of it > in the dongle? I mean, cartridge software is reliable and fast to load, and > with todays PROMs you can get quite a lot of code in one. Of course you can't > call it a cartridge, because then people will think "GAME MACHINE". How about > "THEREWARE", because it's always their waiting for you? > > But then you'ld have to worry about all the hackers with PROM burners. Two comments: 1. A key with 1K ROM is a lot cheaper than a key with 300K ROM. One major goal is to keep key cost at $5-7. 2. The code is executed IN THE KEY. This is not the same as the PC executing ROM code from a key. The 'software lock' passes a subroutine ID and paramater block to the key, and the key fiddles with it and passes a paramater block back. Just to make it more fun, some paramaters could be dummy, and a state machine could cause the mapping of routine-id to actual routines vary. VERY hard to figure out and patch. PS: While someone @ a large lab could take apart a key and scan it in an attempt to pirate, this is avoidable using a coating developed for UK MoD, which is supposed to make ICs non-scanable. -- Opinions expressed are public domain, and do not belong to Lotus Development Corp. ---------------------------------------------------------------- Simcha-Yitzchak Lerner {genrad|ihnp4|ima}!wjh12!talcott!sesame!slerner {cbosgd|harvard}!talcott!sesame!slerner slerner%sesame@harvard.ARPA
wrbull@aluxe.UUCP (bullman) (08/06/85)
> > If you're going to put part of the code in the dongle, why not put ALL of it > > in the dongle? I mean, cartridge software is reliable and fast to load, and > > with todays PROMs you can get quite a lot of code in one. Of course you can't > > call it a cartridge, because then people will think "GAME MACHINE". How about > > "THEREWARE", because it's always their waiting for you? > > > > But then you'ld have to worry about all the hackers with PROM burners. > > Two comments: > > 1. A key with 1K ROM is a lot cheaper than a key with 300K ROM. > One major goal is to keep key cost at $5-7. > > 2. The code is executed IN THE KEY. This is not the same as the > PC executing ROM code from a key. The 'software lock' passes > a subroutine ID and paramater block to the key, and the key > fiddles with it and passes a paramater block back. Just > to make it more fun, some paramaters could be dummy, and > a state machine could cause the mapping of routine-id to > actual routines vary. VERY hard to figure out and patch. > > PS: While someone @ a large lab could take apart a key and scan > it in an attempt to pirate, this is avoidable using a coating > developed for UK MoD, which is supposed to make ICs non-scanable. > > -- > Opinions expressed are public domain, and do not belong to Lotus > Development Corp. > ---------------------------------------------------------------- > > Simcha-Yitzchak Lerner > > {genrad|ihnp4|ima}!wjh12!talcott!sesame!slerner > {cbosgd|harvard}!talcott!sesame!slerner > slerner%sesame@harvard.ARPA I'm sorry but anybody with a $100 logic analyzer could scarff up anything and everything written to and read from the dongle. You don't have to duplicate the dongle, you just have to mimic it. I can see it now, you bring in your dongle to your local Kmart and get a duplicate made, the same way house and car keys are duplicated. Or will the lockmakers make you buy a new house or car every time you lock your keys inside or at least but the replacements from them?? The CD ROM is still a possible solution(not now, but soon). The ultimate solution is to have the software price cheap enough to make it not worth the trouble. Borland has the right idea. I don't want to see programming sweatshops anymore than the next person because I program for a living. William R. Bullman AT&T Bell Laboratories Allentown, PA ...!aluxe!wrbull /* Usual Disclaimer */
webber@utcs.UUCP (R. D. Webber) (08/07/85)
In article <792@aluxe.UUCP> wrbull@aluxe.UUCP (bullman) writes: > >I'm sorry but anybody with a $100 logic analyzer could scarff up anything and >everything written to and read from the dongle. You don't have to duplicate >the dongle, you just have to mimic it. One exception to this is the case where a proprietary or unusual algorithm is involved, as in some scientific programs. In this case, writing the code to replace the dongle would, presumably, be involved enough that it would be almost as easy to rewrite the whole thing. Of course, in that case the dongle becomes a special-purpose (high-speed, one hopes) attached processor, which is a slightly different deal. I feel a little uncertain about arguing that anything simple to write "should" be low priced enough not to be worth copying, but it seems intuitively reasonable. > >The CD ROM is still a possible solution(not now, but soon). The ultimate >solution is to have the software price cheap enough to make it not worth >the trouble. Borland has the right idea. I don't want to see programming >sweatshops anymore than the next person because I program for a living. > > William R. Bullman > AT&T Bell Laboratories > Allentown, PA > > ...!aluxe!wrbull > >/* Usual Disclaimer */ I like Borland's approach myself. I loaned my brother my copy of Turbo Pascal for a week when I wasn't using it, which convinced him that it was suited to his needs. He bought a copy. He's also trying to buy a word processing package, has become immensely frustrated because he's not able to take them home from the store to try out, and is currently making do with freeware WPP's until he can find one he can live with. He's bought three or four cheap WPP's, thus enriching their authors; only one expensive WP manufacturer is going to get money from him. Bob Webber
peter@baylor.UUCP (Peter da Silva) (08/12/85)
> > If you're going to put part of the code in the dongle, why not put ALL of it > > in the dongle? I mean, cartridge software is reliable and fast to load, and > > Two comments: > > 1. A key with 1K ROM is a lot cheaper than a key with 300K ROM. > One major goal is to keep key cost at $5-7. True, but even a 300K ROM (why so big? The .exe file itself isn't 300K) is a drop in the bucket compared to the cost of the typical copy-protected package. And there's no reason to put libraries & other support in there, just ws.exe and ws.ovl... $39.95 packages aren't typically $300K in size. Games have been sold this way fpr years. > 2. The code is executed IN THE KEY. This is not the same as the > PC executing ROM code from a key. The 'software lock' passes > a subroutine ID and paramater block to the key, and the key > fiddles with it and passes a paramater block back. Just Oh what fun. Another way to slow down the computer. Isn't an 8088 slow enough for you already? :-> -- Peter da Silva (the mad Australian) UUCP: ...!shell!neuro1!{hyd-ptd,baylor,datafac}!peter MCI: PDASILVA; CIS: 70216,1076
jbn@wdl1.UUCP (08/23/85)
No, you can't break a good dongle by looking at its inputs and outputs, although you may be able to do so by analyzing the software that polls it. Good dongles work like Identify-Friend-Foe devices; the program challenges the dongle by sending it a random number, which it runs through an encryption algorithm, returning the result, which is then checked by the program. The challenge is never the same twice. Three iterations through the DES algorithm with different keys for each iteration is probably pretty solid. John Nagle