kossmann%wnre.aecl.cdn%ubc.CSNET@RELAY.CS.NET.UUCP (02/17/87)
Some of our people are getting into the business of selling software, and would like to implement software protection mechanisms: - some serial number checked by the software - yearly maintenance agreements & fees - blowup dates Anybody out there have any reasonably secure general mechanisms that could be considered for VAX software?
LEICHTER-JERRY@YALE.ARPA.UUCP (02/18/87)
Some of our people are getting into the business of selling software, and
would like to implement software protection mechanisms:
- some serial number checked by the software
No such serial number is available on a VAX. (There is a "system ID" regis-
ter, but it does NOT necessarily contain a unique number on all VAXes. As
it happens, the first 8192 or so 780's had unique values, leading people to
believe that ALL CPU's would have unique values; but then they started
wrapping. For other CPU types, the SID may ALWAYS have the same value - the
750 is an early example.)
If the VAX happens to include an Ethernet interface, you can use its hardware
address. This is guaranteed to be unique, but certainly cannot be guaranteed
to be present. It could also change because the Ethernet interface is changed
(field service will USUALLY preserve the address PROM, but you can't be sure;
besides, the interface might get sold).
Large disks have software-readable serial numbers, though (a) they can be
changed by a format program; (b) disks move around, too.
In general, there is NO certain technique. If all you want is a quick check,
you can use stuff like the DECnet node name and number. Yes, this can be
faked - as can anything - but it will stop casual theft.
- yearly maintenance agreements & fees
Sure, no problem. Most VAX software is sold on this basis.
- blowup dates
An EXTREMELY bad idea. Be prepared for a massive lawsuit if your program
destroys valuable information, or even just stops working, when it had no
reason to. About the only thing for which blowup dates are really acceptable
are for "try it out for 30 days, then decide" kind of deals, since no one is
likely to become at all dependent on the stuff in a short period of time when
they KNOW they haven't bought it anyway. However, a "crippled" version of the
software - e.g., a database manager that won't handle more than 100 records -
is usually a better approach.
If you really want a time limit, have the program print out some sort of com-
plaint every time it is run after the time limit expires. But still have it
work!
Anybody out there have any reasonably secure general mechanisms that could
be considered for VAX software?
There are no really secure techniques. The various techniques used on micros
have generally been broken, and you have a LOT more room to play with on a
micro because you can get down into the guts of the rather limited hardware
in a way that's just not possible on a VAX.
VAXes are fairly expensive machines; the audience you are dealing with is a
lot more traceable and available for legal sanction than the micro community.
Legal protections are probably your best approach: Get a good lawyer to
write your license agreement, and make it clear that you intend to enforce it.
-- Jerry
-------