Newsgroups: comp.unix.admin Path: utzoo!censor!geac!gjetor!adeboer From: adeboer@gjetor.geac.COM (Anthony DeBoer) Subject: Re: Preventing date rollback Message-ID: <1991Jan24.142455.17747@gjetor.geac.COM> Keywords: software copy protection Organization: Geac J&E Systems Ltd. References: <3133@canisius.UUCP> <357@bria> <91@tdatirv.UUCP> Distribution: comp Date: Thu, 24 Jan 91 14:24:55 GMT In article <91@tdatirv.UUCP> sarima@tdatirv.UUCP (Stanley Friesen) writes: >Hmm, I have yet to see a truly non-intrusive scheme. I would require the >following before I considered a scheme non-intrusive: > >1. Allows backups to be made of the software, which can be used to restore > the protected software in case of media failure. > >2. Does not require any special hardware to run (the least intrusive system I > have yet seen appears to require a network conection to the vendor! Not > all of my systems have any netowrk capability) > >3. Does not require any user validation beyond normal login procedures. > (e.g. no extra passwords to run the package) > >4. Can be reinstalled on a new machine immediately in case of major > hardware failure. Point four would be completely at odds with having any software protection at all. What's to stop an unscrupulous user from taking his routine backup tape from the authorized system and restoring on several new machines as if they were each the replacement machine after a major failure? A hardware dongle (a protection gizmo that goes on a serial port or whatever) could prevent more that one copy from running, but that violates points two and four, the latter because if something horrible happens to the computer the dongle might be history too. Our company uses a package from another vendor that works entirely in software, which as near as I can tell from external evidence works something like this: Every time it wakes up it checks some external evidence of where it's installed (which might be the i-node numbers of a few key files) and uses this and the copy's serial number to generate an large pseudo-random "installation number". If this is the same as last time, then it's okay. Otherwise, it limits use of the package to three users and tells you you need to get it authorized, here are the serial and installation numbers, and please call 1-800-etc. You tell the person on the far end the numbers and he/she gives you an "authorization number" to key in that makes the package happy. This would normally happen only on initial installation and after restoring from a major crash. During normal running, it's completely unobtrusive and you can make all the backup copies you want. The two main holes that might exist in that scheme are firstly that you might possibly be able to do "mirror" backups to exactly duplicate the hard drive on one computer onto a physically identical box, creating a second authorized copy of the software, since it has no idea that it's not on the original machine anymore (honestly, though, I haven't tried this!), and secondly that it's up to the people at their office to try to figure out if the call is legit the second and subsequent times a call arrives asking for a given serial number to be authorized. Here, the unscrupulous user would need to be good at telling hardware horror stories that never happened. I suppose you're not going to get much closer to an optimal scheme. -- Anthony DeBoer - NAUI #Z8800 adeboer@gjetor.geac.com Programmer, Geac J&E Systems Ltd. uunet!jtsv16!geac!gjetor!adeboer Toronto, Ontario, Canada #include