Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/3/84; site sesame.UUCP Path: utzoo!linus!philabs!cmcl2!seismo!harvard!talcott!sesame!slerner From: slerner@sesame.UUCP (Simcha-Yitzchak Lerner) Newsgroups: net.micro.pc Subject: Re: Re: software protection - dongles Message-ID: <200@sesame.UUCP> Date: Thu, 18-Jul-85 00:34:26 EDT Article-I.D.: sesame.200 Posted: Thu Jul 18 00:34:26 1985 Date-Received: Sat, 20-Jul-85 17:02:39 EDT References: <566@alberta.UUCP> <10800011@uiucdcsp>, <176@entropy.UUCP> <922@mtgzz.UUCP> Organization: Lotus Development Corp Lines: 78 > > I am not very impressed with the security offered by these (expensive) > devices. I think a programmer armed with DEBUG could defeat them > given a little time. They do offer the user the ability to make > back up copies though. > > I am not sure which gives me more more pain using this device or > having software copied. > > A recent report I read said that the only effective hardware security > device was something that was an integral part of the program, such > as a mouse controller used because your software uses that kind of > device. > > Life is unfair things are much easier for hardware manufacturers. As the Principal Engineer of ADAPSO's "Software Authorization System (SAS) Proposal", I would like to make a few BRIEF comments in response to your remarks. 1. The proposal does not include any details of the protection mechanism. The design of a software lock/hardware key combination is entirely up to software vendors and/or 3rd parties. The SAS is ONLY a proposed communications standard. When I first investigated the situation of hardware protection devices, there were 125 (!) different products either in planning or production. They all had some similarities, and almost all could not co-exist on the same system. To avoid the horror of replacing the swapping of coded disks with the swapping of hardware devices, ADAPSO developed a proposed communication standard so that all these devices could co-exist. (Many other benefits -- particularly cost savings -- evolved from ADAPSO's work, but I will not bore you with the details now) 2. "Any programmer with debug will be able to defeat this type of system." This is NOT correct. While a poorly designed software lock could be defeated this way, most manufacturers that I have talked to are putting in a few features that will make this very difficult if not impossible: A. The program generates a random "question" which is sent to the key. The key returns an answer which is verified by the host. B. A part of the program code and/or structure is stored in the key for downloading. Some more adventurous firms are actually having several critical routines (of an inobvious nature) execute WITHIN the key. C. Almost all firms are planning to design a key so that it could not be shared by multiple machines via a "Y" connector or similar machination. As far as cost, the key ring (central comunication device of which a PC need only one for use of several key simultaneously) will cost in the $25-75 range, depending on features, number of slots, etc. The cost of a key will vary by complexity, but cost (to S/W vendor) will be from $4 on up. For those wishing more details, the proposal is in the final stages of preparation. Copies will be available via ADAPSO. (I would offer to post it except that it would be lacking too many critical diagrams...) VIEWS EXPRESSED HERE ARE NOT NECESSARILY ANYONE'S, PARTICULARY THEY ARE NOT NECESSARILY THE VIEWS OR OPINIONS OF LOTUS DEVELOPMENT CORP. -- Simcha-Yitzchak Lerner {genrad|ihnp4|ima}!wjh12!talcott!sesame!slerner {cbosgd|harvard}!talcott!sesame!slerner slerner%sesame@harvard.ARPA