ams@fourier.Princeton.EDU (Andrew Simms) (01/10/90)
Some of the folks I work for would like to make a reasonably secure scheme to insure their product runs only on machines they are licensed to run on. To do this, they would like to obtain a read-only number (such as a motherboard serial number) that could be used as a key to operate the software only on that machine. I know mathematica on the Irises has a program called mathinfo that generates a unique number but I have no idea what it does to get it. If there is sufficient interest, I will be happy to post a summary of responses emailed to me. p.s. Ethernet addresses won't quite do it, since it needs to run on machines without ethernet boards. ---------------------------------------------------------------------- Andrew Simms ams@acm.princeton.edu System Administrator Program in Applied and Computational Math Princeton University Princeton, NJ 08544 609/258-5324 or 609/258-6227 609/258-1054 (fax)
wiltse@oceana.esd.sgi.com (Wiltse Carpenter) (01/10/90)
In article <12817@phoenix.Princeton.EDU>, ams@fourier.Princeton.EDU (Andrew Simms) writes: > ...they would like to obtain a > read-only number (such as a motherboard serial number) that > could be used as a key to operate the software only on that > machine. > > p.s. Ethernet addresses won't quite do it, since it needs > to run on machines without ethernet boards. > ---------------------------------------------------------------------- The sysid(3C) call returns a machine identifier string that is unique for all SGI machines. The implementation is somewhat different on the various 4D models, but it is currently based on the E-net address in all of them. You are right that machines without Ethernet boards, or with boards that get swapped will not return unique values. On the 4D/2x models however, the E-net address is stored on the chassis so that a swap of the electronics module will not affect the address or the return from the sysid() call and all machines have one. Please also be aware that the gethostid(2) call is not the thing to use for this purpose on SGI machines since the super-user can set with sethostid(2) to any legal value. One more thing to be warned about: Do not use the mapping of the E-net address in the sysid call to obtain the E-net address itself! On future versions of our machines we may well come up with a better source for the serial number which may not have anything to do with the E-net address. -Wiltse
sgf@cs.brown.edu (Sam Fulcomer) (01/11/90)
In article <47918@sgi.sgi.com> wiltse@oceana.esd.sgi.com (Wiltse Carpenter) writes: >In article <12817@phoenix.Princeton.EDU>, ams@fourier.Princeton.EDU (Andrew Simms) writes: >> ...they would like to obtain a >> read-only number (such as a motherboard serial number) that >> could be used as a key to operate the software only on that >> to run on machines without ethernet boards. >> ---------------------------------------------------------------------- >The sysid(3C) call returns a machine identifier string that is unique >for all SGI machines. The implementation is somewhat different on the Well, yes, unique unless someone goes to the trouble of changing getsysid() in the kernel. I have yet to see a Unix-copy-protection scheme that is foolproof. The best approach involves additional hardware like a dongle, but unless the dongling is implemented correctly it can still be spoofed. The best copy protection is quality software at a reasonable price. sgf@cfm.brown.edu
blbates@AERO4.LARC.NASA.GOV ("Brent L. Bates AAD/TAB MS294 x42854") (01/11/90)
Here, Here. I agree, if software is reasonably priced I don't mind paying for it, but it it cost as much as or more than the equipment it is going to be used on then it is too expensive. -- Brent L. Bates NASA-Langley Research Center M.S. 294 Hampton, Virginia 23665-5225 (804) 864-2854 E-mail: blbates@aero4.larc.nasa.gov or blbates@aero2.larc.nasa.gov
sch@tachyon.UUCP (Steven C. Holzworth) (01/12/90)
In article <9001111538.AA09715@aero4.larc.nasa.gov>, blbates@AERO4.LARC.NASA.GOV ("Brent L. Bates AAD/TAB MS294 x42854") writes: > > Here, Here. I agree, if software is reasonably priced I don't mind > paying for it, but it it cost as much as or more than the equipment it > is going to be used on then it is too expensive. > -- > > Brent L. Bates > NASA-Langley Research Center > M.S. 294 > Hampton, Virginia 23665-5225 > (804) 864-2854 > E-mail: blbates@aero4.larc.nasa.gov or blbates@aero2.larc.nasa.gov This is the second person to say this, so I feel I have to respond... We are a VAR for SGI computers. Our product is a high-end civil engineering and landscape architecture design system. (Sorry if this sounds like an Ad) Two configurations are available, one for approximately $10k and one for approximately $20k (roughly the price of a Personal IRIS). You would argue that that is too much to charge. There are several reasons for that price. The system has been under development for over five years, and has involved lots of dollars and lots of risk. The nearest equivalent products in the CE CAD market sell for approximately twice to three times that, and don't give the same performance (IMHO). Looking at it from the viewpoint of a potential customer: Is it worth it to invest approximately $40k-$50K to double or triple the productivity of a $40k a year engineer? At the end of a year, the investment is recovered, after that you are ahead of the game. Will this product allow you to compete with larger firms? On larger projects? With fewer people? Looking at it from our (the developer's) viewpoint: What is the relative worth of this product? How long will it take to recoup the cost of develop- ment? Further development? Marketing? A typical three day trade show costs approximately $25k to attend. A typical magazine ad, $4k. More importantly, how many systems can you REALISTICALLY expect to sell? 10? 100? 1000? This is not the microcomputer market. We can't expect to sell a hundred thousand copies of our software. AutoCAD can do that; it runs on micros. It also doesn't approach our capabilities (IMHO). I apologize profusely if the above sounded like ad. I'm merely trying to show some of the rationale that goes into pricing software in the mid to high- end computer industry. Note that I didn't mention the product name once. Protection schemes: We use the sysinfo number, in addition to some other things :-) for our our software. Is it secure? Yes, enough so for our purposes. Is it impregnable? No, not by a long shot. In our market, there just aren't that many grade A hackers who could defeat a reasonable protection scheme. Most companies with any sense would not risk it anyhow. (Again, this isn't the micro market. We're talking MAJOR lawsuit, here). I STRONGLY suggest you don't use the Ether address. As mentioned before, this is easily defeated. I personally feel that most professional programmers can defeat any copy- protection scheme devised (including dongles). Most _professional_ programmers won't try. The idea is to make a scheme that is secure ENOUGH. Note also: on the Personal IRIS, only the first few groups of the sysinfo field are significant, the rest are zero; on larger IRISes, all (64?) groups are used. Again, I apologize if this was construed as an ad, that was not my intent. Flame or respond to me directly, don't overload the net. P.S. The folks at SGI are doing a wonderful job answering questions on the net. I keep seeing new names appear in their responses, indicating a lot of people there are paying attention. Keep up the good work. Sincerely, Steven C. Holzworth Vice President. Stephen Dedalus, Inc. rti!tachyon!sch
blbates@AERO4.LARC.NASA.GOV ("Brent L. Bates AAD/TAB MS294 x42854") (01/12/90)
I understand what you are saying, however, it is hard to convice some management types of that. Also, if the price is lower you are more likely to sell more copies than with the higher price. There often have been times when we see some software we would like, but the price is so high we don't or maybe the price is borderline. It is the same problem with any thing anyone sells. Do you have a high price and sell a few units or do you have a low price and sell a lot of units. -- Brent L. Bates NASA-Langley Research Center M.S. 294 Hampton, Virginia 23665-5225 (804) 864-2854 E-mail: blbates@aero4.larc.nasa.gov or blbates@aero2.larc.nasa.gov
vjs@rhyolite.wpd.sgi.com (Vernon Schryver) (01/13/90)
In article <102@tachyon.UUCP>, sch@tachyon.UUCP (Steven C. Holzworth) writes: > ... > I personally feel that most professional programmers can defeat any copy- >protection scheme devised (including dongles). Most _professional_ programmers > won't try. The idea is to make a scheme that is secure ENOUGH. >... > Steven C. Holzworth > Vice President. > Stephen Dedalus, Inc. > rti!tachyon!sch Given one machine that can reliably execute the product under some repeatable conditions, it is obvious that with enough effort, a second machine sufficently identical can be constructed. One might need to use xrays and chip building hardware or even bribery or extortion at the factory, but it can be done. It has seemed to me that the goal is to make it secure enough to be able to go to court and say "That was no accident. You stole it on purpose." It seems enough to make the cost of stealing it (whether in court or in engineering time) less that the price of a copy. Only the first bytes of the sysinfo string are useful anywhere. There was talk of forgetting the extra cruft a release or three ago. It seems unlikely we can ever actually reduce the size of the structure, since we prefer to avoid some of the screams caused by incompatibilities. (Note: I only said "some" :-) Using the ethernet address for copy protection is crazy for lots of reasons, including the fact that there are ioctl's for changing the ethernet address. (Needed for DECNET.) Vernon Schryver Silicon Graphics vjs@sgi.com
sgf@cs.brown.edu (Sam Fulcomer) (01/13/90)
In article <102@tachyon.UUCP> sch@tachyon.UUCP (Steven C. Holzworth) writes: > Looking at it from the viewpoint of a potential customer: Is it worth it >to invest approximately $40k-$50K to double or triple the productivity ?????? ?????? >of a $40k a year engineer? Be realistic here; not that many engineers are still using pencils ,slide rules and card decks. How's your product been doing since it was released? Has there been a steady increase in sales? What's the Corps think of it? The bottom line is that almost all software >>is<< PC software (or soon will be) from any surivable marketing viewpoint. I certainly hope the $40-50k includes a PI.
ams@ACM.PRINCETON.EDU (01/13/90)
I apologize for being the cause of so much network flutter on yet another [pointless] discussion on copy protection. For everyone's info, sysid on the Iris seems to be the thing to use. That information answered my question so I think we should move on to other things. Thanks to everyone who responded to my query. --ams