[Newbies] Uploading Patches and Enabling Features in
herbertkoenig at gmx.net
Thu Mar 8 19:33:38 UTC 2007
This one should have hone to the list.
Right now I'll start playing with my mail client so that I don't reply
off list inadvertently.
Ron is not talking to himself. Sorry!
let's continue our totally newbie-ish discussion :-)
Ron you're doing this nice and systematically, be sure I will archive
this thread as long as it goes.
Name mangling as Bert suggests is a way to protect intellectual
property while the majority of points in this discussion are about
protecting the income of the software supplier.
If a system is big enough (in lines of code) I would trust name
mangling a lot. It is a bit compromised by polymorphism. Identical
method names must have identical mangled names if it is an automated
I was very close to using it twice (in Lisp), so I gave it serious
RT> 1) A system must be able to enable features for a single instance and
RT> prevent those features from being shared to other systems.
If you combine name mangling with individual crypting you can build
modules which will only load into a single instance of the software.
RT> 2) A system could be able to detect features being used inappropriately
Will be unnecessary then.
RT> 3) A system could be able to periodically check for permission (trial
Smalltalk has one advantage here with being image based. If part (or
all) of the users data are always stored in the image you can keep a
timer in the system which detects a set back system clock. Again we
run such a timer in the hardware lock which also contains the end of
RT> Hardware encryption is more costly then software.
Yea, the way to go is to have one medium into which several software
suppliers put their security codes. I guess the people from the link I
provide have exceeded their initial goal to sell 1 million of their
devices. I'm unhappy that I'm advertising here but those are serious
guys and we do business with them for more than a decade.
Imagine a dongle combined with a usb stick. The software suddenly
becomes a physical possession. People are used to dealing with
valuables for millennia. As soon as a stolen software connects to the
Internet the dongle (with all contained software) can be invalidated.
RT> Dongles have some issues, they are usually but not always only one factor
RT> (if you have the dongle the system works), they break or can be lost, and
RT> some are easily cracked (so it's important that the value of the software is
Like some software locks too, I cracked one by accident. OTOH I once
worked for a man who replicated a dongle to learn how to use gate
RT> less then the amount of work to make your own, or that the dongles be unique
RT> per installation so that the selling of a cracked dongle is not profitable).
We have it this way though I personally dislike the effort it takes
building updates and upgrades.
RT> Also because the dongle links the computer to the software and not the user
RT> to the software unauthorized users can still access the software. A good
RT> example is when a user leaves the dongle attached to the computer and goes
RT> to lunch.
I never tried but I believe that I can go to a computer, start IE, and
export any certificate to my usb stick with no one the wiser. That
leaves the password which in practice is easily hacked. Easy in a
statistical meaning, as you already observed people don't care about
security until it's too late.
Next week I'll try if exporting a certificate already needs the
I would have to steal the dongle though. At least this wouldn't go
unnoticed. A call to the supplier could lock that dongle and a
replacement can be bought for the costs of the dongle.
RT> I do think that having hardware authentication is a good idea and it does
RT> make things much easier to verify when the crypto code is in the hardware.
RT> I still wonder why it is that they are not more widely used.
Here in Germany you can choose between several suppliers of dongles
many of them in the business for a long time. Autodesk have used
Dongles for very long until 2000 in Europe. They sell a lot :-))
I know of vendors moving towards a dongle and others giving up on the
RT> As for email, until the certificates are free and the software does all the
RT> work for you, (hardware or not), I doubt we will see much more acceptance.
I totally agree.
RT> In the system that I'm building it is all automatic. If you use my software
RT> and then write an email to your doctor it automatically sends it encrypted
>>from your regular email program. Or if you fill out a personalized template
RT> online to communicate with your doctor it is also sent encrypted with your
RT> certificate so that the doctor (and the insurance company) knows they are
RT> talking to the real patient.
How do you assure the identity of the patient the first time? How do
you assure the correct initial recipient?
I always enjoy this line of thought, I got my first contract because I
broke a protected software in front of the protector :-)
Thank you for reading!
Herbert mailto:herbertkoenig at gmx.net
More information about the Beginners