Preventing date rollback

Anthony DeBoer adeboer at gjetor.geac.COM
Fri Jan 25 01:24:55 AEST 1991 

In article <91 at tdatirv.UUCP> sarima at tdatirv.UUCP (Stanley Friesen) writes:
>Hmm, I have yet to see a truly non-intrusive scheme.  I would require the
>following before I considered a scheme non-intrusive:
>
>1. Allows backups to be made of the software, which can be used to restore
>   the protected software in case of media failure.
>
>2. Does not require any special hardware to run (the least intrusive system I
>   have yet seen appears to require a network conection to the vendor!  Not
>   all of my systems have any netowrk capability)
>
>3. Does not require any user validation beyond normal login procedures.
>   (e.g. no extra passwords to run the package)
>
>4. Can be reinstalled on a new machine immediately in case of major
>   hardware failure.

Point four would be completely at odds with having any software protection at
all.  What's to stop an unscrupulous user from taking his routine backup tape
from the authorized system and restoring on several new machines as if they
were each the replacement machine after a major failure?  A hardware dongle (a
protection gizmo that goes on a serial port or whatever) could prevent more
that one copy from running, but that violates points two and four, the latter
because if something horrible happens to the computer the dongle might be
history too.

Our company uses a package from another vendor that works entirely in
software, which as near as I can tell from external evidence works something
like this: Every time it wakes up it checks some external evidence of where
it's installed (which might be the i-node numbers of a few key files) and uses
this and the copy's serial number to generate an large pseudo-random
"installation number".  If this is the same as last time, then it's okay.
Otherwise, it limits use of the package to three users and tells you you need
to get it authorized, here are the serial and installation numbers, and please
call 1-800-etc.  You tell the person on the far end the numbers and he/she
gives you an "authorization number" to key in that makes the package happy. 
This would normally happen only on initial installation and after restoring
from a major crash.  During normal running, it's completely unobtrusive and
you can make all the backup copies you want.

The two main holes that might exist in that scheme are firstly that you might
possibly be able to do "mirror" backups to exactly duplicate the hard drive on
one computer onto a physically identical box, creating a second authorized
copy of the software, since it has no idea that it's not on the original
machine anymore (honestly, though, I haven't tried this!), and secondly that
it's up to the people at their office to try to figure out if the call is
legit the second and subsequent times a call arrives asking for a given serial
number to be authorized.  Here, the unscrupulous user would need to be good at
telling hardware horror stories that never happened.

I suppose you're not going to get much closer to an optimal scheme.
-- 
Anthony DeBoer - NAUI #Z8800                           adeboer at gjetor.geac.com
Programmer, Geac J&E Systems Ltd.             uunet!jtsv16!geac!gjetor!adeboer
Toronto, Ontario, Canada             #include <std.random.opinions.disclaimer>

More information about the Comp.unix.admin mailing list