[Newbies] Uploading Patches and Enabling Features in Commercial Systems

Herbert König herbertkoenig at gmx.net
Thu Mar 8 19:33:38 UTC 2007 

This one should have hone to the list.

Right now I'll start playing with my mail client so that I don't reply
off list inadvertently.

Ron is not talking to himself. Sorry!

Hello Ron,

let's continue our totally newbie-ish discussion :-)

Ron you're doing this nice and systematically, be sure I will archive
this thread as long as it goes.

Thesis:
Name mangling as Bert suggests is a way to protect intellectual
property while the majority of points in this discussion are about
protecting the income  of the software supplier.

If a system is big enough (in lines of code) I would trust name
mangling a lot. It is a bit compromised by polymorphism. Identical
method names must have identical mangled names if it is an automated
process.

I was very close to using it twice (in Lisp), so I gave it serious
consideration.

RT> 1) A system must be able to enable features for a single instance and
RT> prevent those features from being shared to other systems.

If you combine name mangling with individual crypting you can build
modules which will only load into a single instance of the software.
            
RT> 2) A system could be able to detect features being used inappropriately
Will be unnecessary then.

RT> 3) A system could be able to periodically check for permission (trial
RT> software)
Smalltalk has one advantage here with being image based. If part (or
all) of the users data are always stored in the image you can keep a
timer in the system which detects a set back system clock. Again we
run such a timer in the hardware lock which also contains the end of
trial date.

RT> Hardware encryption is more costly then software.

Yea, the way to go is to have one medium into which several software
suppliers put their security codes. I guess the people from the link I
provide have exceeded their initial goal to sell 1 million of their
devices. I'm unhappy that I'm advertising here but those are serious
guys and we do business with them for more than a decade.

Imagine a dongle combined with a usb stick. The software suddenly
becomes a physical possession. People are used to dealing with
valuables for millennia. As soon as a stolen software connects to the
Internet the dongle (with all contained software) can be invalidated.

RT> Dongles have some issues, they are usually but not always only one factor
RT> (if you have the dongle the system works), they break or can be lost, and
RT> some are easily cracked (so it's important that the value of the software is

Like some software locks too, I cracked one by accident. OTOH I once
worked for a man who replicated a dongle to learn how to use gate
arrays :-))

RT> less then the amount of work to make your own, or that the dongles be unique
RT> per installation so that the selling of a cracked dongle is not profitable).

We have it this way though I personally dislike the effort it takes
building updates and upgrades.

RT> Also because the dongle links the computer to the software and not the user
RT> to the software unauthorized users can still access the software.  A good
RT> example is when a user leaves the dongle attached to the computer and goes
RT> to lunch.

I never tried but I believe that I can go to a computer, start IE, and
export any certificate to my usb stick with no one the wiser. That
leaves the password which in practice is easily hacked. Easy in a
statistical meaning, as you already observed people don't care about
security until it's too late.

Next week I'll try if exporting a certificate already needs the
password.

I would have to steal the dongle though. At least this wouldn't go
unnoticed. A call to the supplier could lock that dongle and a
replacement can be bought for the costs of the dongle.

RT> I do think that having hardware authentication is a good idea and it does
RT> make things much easier to verify when the crypto code is in the hardware.
RT> I still wonder why it is that they are not more widely used.

Here in Germany you can choose between several suppliers of dongles
many of them in the business for a long time. Autodesk have used
Dongles for very long until 2000 in Europe. They sell a lot :-))

I know of vendors moving towards a dongle and others giving up on the
dongle.

RT> As for email, until the certificates are free and the software does all the
RT> work for you, (hardware or not), I doubt we will see much more acceptance.

I totally agree.

RT> In the system that I'm building it is all automatic.  If you use my software
RT> and then write an email to your doctor it automatically sends it encrypted
>>from your regular email program.  Or if you fill out a personalized template
RT> online to communicate with your doctor it is also sent encrypted with your
RT> certificate so that the doctor (and the insurance company) knows they are
RT> talking to the real patient.  

How do you assure the identity of the patient the first time? How do
you assure the correct initial recipient?

I always enjoy this line of thought, I got my first contract because I
broke a protected software in front of the protector :-)

Thank you for reading!

Cheers

Herbert                            mailto:herbertkoenig at gmx.net

More information about the Beginners mailing list