PCSOFT

Topics

1. bios (50)
2. ms.dos (492)
3. unix (322)
4. os.2 (5)
5. jezici (125)
6. cccc (343)
7. clipper (273)
8. turbo.pascal (247)
9. tools (219)
10. grafika (189)
11. programiranje (156)
12. tekst.procesori (164)
13. word.perfect (222)
14. ventura (216)
15. windows (270)
16. spec.softver (212)
17. virusi (255)
18. zastita (44)
19. knjige (61)
20. razno (668)
21. mreze (75)
22. ms.word (42)
25. nabavka (153)
26. baze.podataka (60)
27. radne.tabele (2)
29. van.teme (17)
30. 4dos (25)

Messages - zastita

zastita.1 dejanr, 20 Nov 89

U okviru teme Virusi počela je zanimljiva diskusija koja je skrenula na neke moralno-tehničke aspekte zaštite programa. Mislim da je tema dovoljno interesantna da bismo se posebno tretirale - poruke sam (ostavljajući ih i tamo gde su bile) prepisao u niz koji sledi temu ZASTITA...

zastita.2 vkostic, 20 Nov 89

Dejane, dobro si informisan. Takve zaštite zaista postoje, a neke od njih sam ja lično pravio. Ti si Dejane svojevremeno na temu piratovanja rekao nešto ovako: "Ako nekome dam program za koji znam da mu treba, a da ga sigurno neće (ili ne može) kupiti, onda je to OK". Ja se slažem sa tim stavom. Amerikanac može da kupi neki C kompajler, na primer, za neznatan deo svoje plate. Jugosloven za to mora da radi mesecima. Prema tome, piratovanje je suviše kompleksna tema da bi se na to gledalo kao na crno/belo. Ali stoje i to da se u Jugoslaviji NE MOŽE prodavati program ako on nema neku zaštitu. Ako je program dobar, on će jednostavno planuti preko drugarskog davanja i piratovanja, i od prodaje nema ništa. A onaj ko je uložio veliki napor da taj program napiše ima prava da nešto i zaradi. Za jednog privatnika sam napravio vrlo zgodnu karticu za zaštitu programa. Stvar je dimenzije 5x11 cm i jednostavno se utakne u bilo koji prazan slot. Jeste da treba otvoriti kompjuter, ali zato posle iz njega ne vire nikakvi dodatci koji se priključuju na RS232. Sa tom karticom se programi vrlo jednostavno štite. Neke zaštite sa tom karticom sam zaista radio tako da program obriše hard disk ako primeti da je neko pokušavao da skine zaštitu. Moj stav je krajnje jednostavan: Ako ti prodam program, instaliraj karticu i koristi program. A ako si ti toliko drzak da pokušaš da razvališ zaštitu (verovatno da bi program piratovao), onda si stvarno SAM TRAŽIO đavola. Sećaš se da sam ti svojevremeno dao program XRD. Taj program sam napisao za svoju ličnu upotrebu. Tebi sam ga dao jer je to bila tvoja ideja. Davao sam ga i drugim ljudima jer nisam sebičan i drago mi je da što više ljudi koristi taj program. Međutim skoro sam naleteo na jednu kopiju tog programa koji se više nije zvao XRD nego nekako drukčije, i na kojem je neki majmun stavio svoje ime. XRD nažalost nije bio zaštićen, ali neke moje nove rutine jesu. Ako neko stavi svoje ime umesto mojeg, onda program obriše hard disk. Dali je to moralno? Za mene jeste. Program neće ništa uraditi onome ko ga normalno koristi. A majmunu koji pokuša da ukrade moju intelektualnu svojinu sledi ono što sledi. Ako se Dejane i dalje ne slažeš sa mnom, razmisli o ovome: šta bi radio kada bi ja nekako ukrao tvoj program RIND, stavio na njega svoje ime i počeo da ga prodajem po Beogradu? Mogao bi samo da slegneš ramenima, jer mi u takvoj situaciji ne možeš ništa. Takva je Jugoslavija. Pa zašto onda da programeri ne štite svoje programe? P.S. Dejane, imam novu verziju programa XRD (bez zaštite!). Ako još uvek koristiš tu rutinu, javi da ti pošaljem novu verziju.

zastita.3 dejanr, 20 Nov 89

Nisu tu samo virusi opasni - prave se hardverske zaštite koje, ako neko pokuša da hakeriše po programu, uništavaju podatke. Neko će možda reći "što je tražio to je i dobio" ali nije tako - čim nešto slično postoji u kodu, postoji i šansa da se zbog neke greške ili ko zna čega to i izvrši. Zbog toga bi američkoj firmi koja bi prodavala ovakav softver na sudu odrali kožu ali u manjim zemljama tog pravnog sistema nema - čuo sam da proizvođači domaćih hardverskih zaštita u program ugrađuju ovakve stvari (ili bar pričaju da ih ugrađuju... ko će ga znati) što znači da nas svašta čeka... Lično nikada ne bih koristio program zaštićen hardverskim ključem - probao sam neki Multi Lingual Scribe i bilo mi ga je dosta za sat vremena!

zastita.4 dejanr, 20 Nov 89

Vrlo zanimljiva tema za diskusiju! >> Ali stoje i to da se u Jugoslaviji NE MOŽE prodavati >> program ako on nema neku zaštitu. Mislim da ne stoji! U Jugoslaviji u principu važe isti mehanizmi kao i u svakoj drugoj (kako tako tržišno orijentisanoj) državi, prosto su možda neke konstante drugačije. A ti mehanizmi su sledeći: ako se ja bavim nekim poslom, ako u tom poslu pokušavam da budem konkurentan i ako kupim kompjuter a onda i neki program da bi u poslu bio još konkurentniji, onda sam ja potpuno lud ako program dajem drugima! Naravno, desiće se da ja i još neko kupimo program i platimo ga po pola ali ćemo tada obojica biti ludi ako program dalje delimo. Ukoliko je program jako opšti i jeftin, potreban koeficijent ludila je manji pa će i širenje biti brže. Ako je program specijalizovan i skup, vrlo malo će se piratovati! U Americi je nekada bilo mnogo zaštićenih programa a sada ih gotovo i nema - čak ni novi Lotus i dBASE nisu zaštićeni! Naravno, i tamo ima piratstva ali ipak softverske firme vrlo lepo prolaze - kad i kod nas bude bilo više računara i više tržišta, pravila će više važiti i to je sve! Drugo, ako program za nešto stvarno koristim, *mnogo* mi znači podrška autora koju nemam ako dobijem piratovanu verziju - neka su na mom računaru YU slova malo drugačije raspoložena i piratovani tekst procesor lepo mogu da bacim! Zato mislim da se kod nas (kao i svugde drugde) program može sasvim lepo prodavati bez zaštite - štiteće ga orijentacija na uže tržište, visoka cena, dokumentacija i podrška kupcima! Navodim jedno iskustvo sa prodajom ćiriličnih fontova za laser - čovek pita "a da li ja to mogu da dam kolegi" i dobije odgovor "vaša stvar, ali onda to sami instalirajte". Naravno, kupila su obojica po jedan set! >> Za jednog privatnika sam napravio vrlo zgodnu karticu za >> zaštitu programa. Stvar je dimenzije 5x11 cm i jednostavno >> se utakne u bilo koji prazan slot. Jeste da treba otvoriti >> kompjuter, ali zato posle iz njega ne vire nikakvi dodatci >> koji se priključuju na RS232. Sa tom karticom se programi >> vrlo jednostavno štite. Zvuči zanimljivo... zgodnije nego dongle koji odbija računar od zida. Ali ima i mana - konkretno, znam jednu odličnu 386 ploču koja ima 6 slotova: jedan za memoriju, jedan za serijsko paralelnu karticu, jedan za modem, jedan za skaner, jedan za disk kontroler, jedan za grafičku karticu i... gde ćemo zaštitu? A zaštitu drugog programa drugog autora? Ali nema udobne zaštite! >> Neke zaštite sa tom karticom sam zaista radio tako da >> program obriše hard disk ako primeti da je neko pokušavao >> da skine zaštitu. Moj stav je krajnje jednostavan: Ako ti >> prodam program, instaliraj karticu i koristi program. A ako >> si ti toliko drzak da pokušaš da razvališ zaštitu >> (verovatno da bi program piratovao), onda si stvarno SAM >> TRAŽIO đavola. Ja takav program nikad ne bi stavio u računar pa ne znam kako da je koristan - ako tu negde ima kod koji briše podatke, otkud ja znam da se nekom greškom (recimo, neki drugi program "poludi" i lupi na hard disk neki podatak koji uleti u tvoj program - ja ni kriv ni dužan) neće desiti havarija! Uostalom, mislim da su sve te hardverske zaštite relativno lake za razbijanje uz dobru opremu - PCAD je pao na emulator 80286 i to za 3 sata! Nevolja sa takvim zaštitama je što se uz malo opreme može *vrlo lako* uloviti trenutak kada program pristupa periferiji a posle stvarno nije teško malo disasemblirati unaokolo i tražiti "opasan" kod. Uz to, čak i bez opreme može se instalirati Flu Shot ili neki drugi antivirus program i sasvim sigurno uloviti pokušaj brisanja podataka sa diska! >> ... šta bi radio kada bi ja nekako ukrao tvoj program RIND, >> stavio na njega svoje ime i počeo da ga prodajem po >> Beogradu? Mogao bi samo da slegneš ramenima, jer mi u >> takvoj situaciji ne možeš ništa. Ne bi to bio prvi put da se tako nešto desi i stvarno bih slegao ramenima - mislim da onaj ko to radi govori sasvim dovoljno o sebi i da će to vrlo brzo svaki potencijalni "kupac" ukapirati; ja "stradam" ali bar ostajem zapamćen kao neko ko je napravio dobar program! Ali mislim da ni zaštita tu mnogo ne pomaže - pre ili posle (verovatno pre) neko će je razbiti i tek onda počinje deljenje unaokolo - ja ostajem zapamćen kao neko ko je napravio lošu zaštitu! >> imam novu verziju programa XRD (bez zaštite!). Ako još uvek >> koristiš tu rutinu, javi da ti pošaljem novu verziju. Kako da ne, XRD stalno i vrlo rado koristim mada mi je jednom napravio havariju - naime, da bih obrisao direktorijum moram da se "popnem" iznad njega a ja sam jednom hteo da budem pametan pa otkucao XRD . (šatro, tačka je tekući dir). Nešto mi je izgledalo da brisanje predugo traje pa sam resetovao računar i našao... disk u haosu. Srećom, bio je drajv E na kome i tako nema prevažnih stvari ali mi je otišla tabela skorova u tetrisu što me je unazadilo za dva meseca! Nova verzija me itekako interesuje. Za one koji ne koriste XRD (niti taj ekvivalent "nepoznatog autora"), XRD TEMP briše direktorijum TEMP i sve datoteke u njemu; sa XRD TEMP /S možete obrisati i sve poddirektorijume - zgodno kad treba "ubiti" neki od Microsoftovih jezika ili Logitech Modulu 2...

zastita.5 vkostic, 20 Nov 89

Dejane, mislim da smo trebali da otvorimo novu temu - "MORALNI ASPEKTI PROGRAMIRANJA I ZAŠTITE PROGRAMA". Naša rasprava ne spada pod "VIRUSI". XRD sam unapredio prema tvojoj zadnjoj primedbi: da može da obriše sve iz direktorijuma, ali da sam direktorijum ne ukloni. Otkucaj samo XRD i dobićeš uputstva. Takođe, emituje jedno vrlo dugačko beep ako pokušaš da obrišeš ceo disk C ili D. XRD V2.1 šaljem u okviru ove poruke. Namenjen je svima koji žele da ga koriste (i nema nikakvu zaštitu). Ono sa tačkom ću sada da probam. Ako se radi o bug-u, onda ćemo uskoro imati XRD V3.0. Pozdrav, V.K.

zastita.6 dejanr, 20 Nov 89

U vezi XRD: za mene bi i drajv E trebalo da "peva" a sigurno ima i onoga kome treba "muzika" za F, G... Moglo bi se napraviti da "peva" za svaki drajv iznad B ali onda bi bio problem RAM disk koji često treba "gasiti" - možda da program sam proveri da li se radi o hard disku...

zastita.7 zblagdan, 23 Nov 89

apropo c compilera: powerc kosta 19.95 u usd. apropo lotus: postoji twin itd. ako vizimo yuga (a ne bmw) jer to sebi mozemo priustiti, mozemo li ekvivalent primijeniti na SW? tesko jer se software moze vrlo lako kopirati. stvar je morala. i u americi su poceli sa kopiranjem i kradjom. vremenom je toga sve manje. zasto? kako da i mi dodjemo u fazu odnosa prema sw u kojoj su sada amerikanci. 10 godina poslije!? treba raditi na tome. řÚR racunari nesto rade na to°─me (oglasi prikazi SW) ali na ovom BBSu ima licenciranog softwarea!?

zastita.8 zzivotic, 24 Nov 89

Na kroji program misliš kada kažeš da na Sezamu ima licenciranog softvera? Ako nam je nešto promaklo, grešku ćemo svakako ispraviti jer imamo nameru da se i ovde držimo onoga čega se drži i časopis. A kako da stignemo tamo gde su amerikanci sada? Prvo, nisam siguran da je tamo situacija ako se uzmu u obzir sve okolnosti tako mnogo drugačija nego kod nas - softver je jednostavno postao dovoljno jeftin da se isplati dati novac za podršku od strane firme koja se kupovinom programa dobija. Mislim da se i tamo u značajnim razmerama neovlašćeno kopiraju programi i da su ovi naši preprodavci zapravo sitni prema onome što se tamo radi. Lično ne poznajem situaciju u Americi direktno, ali sam imao prilike da vidim kako funkcioniše Tajvansko - Singapurska veza - izdaju ljudi i svoj katalog! Lično mislim, iako bih se je prvi radovao da nisam u pravu, da će se situcija sa programima promeniti samo onda kada se uvede *normalno* tržište softvera. U nekim segmentima već se i nazire - nikome recimo ne pada na pamet da program za obračun ličnih dohodaka "pozajmi" od kolega iz druge firme - instalacija i održavanje je nešto što se očigledno *mora* platiti. A zašto nema tržišta i u segmentu ličnog - da ga nazovemo "kućnog" softvera? Mislim da je odgovor jasan - zato što *ne postoji potreba* u značajnijim razmerama. Najveći broj programa koji svi mi imamo na disketama zapravo nam nikad *stvarno* i ne zatreba - ko još onda da daje i pare za takvu stvar. S obizirom da imam određena iskustva sa prodajom mog softvera mislim da mogu da tvrdim da recimo, tekst procesor domaće proizvodnje bi u roku od nekoliko dana bio masovno iskopiran i nema načina da se autor zaštiti. Zašto? Zato što tekst procesor opšte namene zapravo *jako malom broju ljudi **stvarno** treba*! Zoran

zastita.9 dejanr, 24 Nov 89

Da, i u Americi se grdno piratuje softver, naročito među "tehničkom inteligencijom". Ali mislim da ljudi piratuju programe da bi ih videli i isprobali - ako neko zaključi da će program stvarno koristiti, gotovo ga obavezno kupuje. Što se firmi tiče, situacija je još "ortodoksnija". Mislim da bi prvi korak u zaustavljanju piratstva bilo sprečavanje firmi da koriste (ili još gore prodaju) piratovani softver - kada tako nešto rade giganti koji su u svetu poznati (Energoxxxx) i instituti (Puxxx), šta onda ostaje za pojedince?

zastita.10 ilja, 25 Nov 89

Vlado, kad vec zamisljamo situacije, zamisli ovo: Ti poceo da razbijas neki strani program (ajde, priznaj da si to radio) i on ti obrise disk. Dobro, sam si to trazio al zar onda ne bi popizdeo, radio tri puta vise da ga razbijes i onda kad ga razbijes delio ga unaokolo uinat? I drugo, kakvo moralno pravo (a ovde se radi o moralnom pravu) imamo da stitimo svoje programe i razbijamo tudje? Jesi li ti kupio editor koji koristis, kompajler (bese MSC?) koji koristis... I jesi li kada si pisao Ekranski editor koristio kupljeni DEVPAC ili neki piratovan? Dejana sam slicne stvari pitao negde drugde pa da ovde ne ponavljam ali vazi isto pitanje. Ilija

zastita.11 vkostic, 25 Nov 89

Dali sam razbijao zastite? Jesam. Zadnju zastitu koju sam razbijo nalazila se na programu KOREKTOR. To je program jednog naseg autora. Dobio sam demo verziju tog programa. Zastitu sam skinuo da bi program radio sve sto i komercijalna verzija. Zasto sam to radio? KOREKTOR svakodnevno koristim i zastita mi je stvarno smetala. Program pripada firmi ZOI DATA, ali ga oni iz nekih razloga ne prodaju. Program mi nije obrisao hard disk, a da jeste smatrao bi da sam dobio ono sto sam zasluzio. Dali program rasturam unaokolo? *****NE!!!*****. Dali bi ga rasturao da mi je obriso hard disk? *****NE!!!*****. Da se KOREKTOR normalno prodaje kupio bi ga. Ne verujem da su Microsoft, Borland ili HiSoft propali zato sto sam ja koristio njihove proizvode kopirane od drugara. Uostalom, i da sam hteo, *NEBI* mogao da kupim sav taj softver. Ali zato smatram da domaci autori nisu multinacionalne kompanije i da puno gube kada im se piratuje makar i jedna kopija programa. P.S. Za sysop Dejana ili Zorana: KOREKTOR je spelling checker za nas jezik koji poznaje 200.000 reci (ustvari 20.000 ali u svim padezima i oblicima). Radi stvarno izvanredno i nije suvise veliki. Posto demo verzija (koja radi skoro sve ako prava) moze da se slobodno kopira, mozda bi bilo interesantno stavti ga na SEZAM. Pozdrav, V.K.

zastita.12 zzivotic, 25 Nov 89

Zvuči zaista zanimljivo staviti KOREKTOR na Sezam, tj. njegovu demo verziju mada mi nije baš jasno zašto se demo verzija deli ako se program ne prodaje? Bez obzira, ako paket nij preveliki (recimo 150-200 je apsolutno gornja granica) možeš da ga pošalješ uz privatnu poruku redakciji "Računara", Dejanu ili meni pa ćemo ga staviti na raspolaganje svima. Hvala na predlogu, Zoran

zastita.13 dejanr, 25 Nov 89

Da, staviti demo verziju... pa još ako u nekoj poruci opišeš kako si je razbijao, korist će biti višestruka... Naravno, šalim se. Ali u svakoj šali...

zastita.14 vkostic, 25 Nov 89

OK. Poslacu KOREKTOR. Zasto se deli demo verzija, a program se ne prodaje? Nemam pojma. Mislim da je ZOI DATA nameravala da napravi kompletan paket za DTP u kojem bi korektor bio samo jedan deo. Od toga izgleda nije bilo nista. Steta sto je taj program doziveo takvu sudbinu jer je zaista izvanredan. Pozdrav, V.K.

zastita.15 vkostic, 26 Nov 89

Dobro. Dakle, Dejane, uzmes FSD pa otkucas... DALJI TEXT PORUKE PONISTIO VLADIMIR KOSTIC IZ MORALNIH POBUDA... Kada to sve uradis, Korektor ce savrseno raditi! Pozdrav, V.K.

zastita.16 zzivotic, 26 Nov 89

Vlada je poslao KOREKTOR koji je dostupan u IBMPC direktorijumu. Zahvaljujemo Vladi na zaista interesantnom prilogu.

zastita.17 vkostic, 13 Dec 89

Ovo je provala godine: Po Beogradu kruze sledece glasine: Navodno svaki procesor (na PC masinama) i svaki hard disk imaju svoj serijski broj! Neki tip (odavde, iz Beograda) je navodno razvojo strasnu zastitu programa zasnovanu na tom principu. Ok, svaki procesor i svaki hard disk zaista imaju nalepnicu sa serijskim brojem, ali da to softver procita... Bas bi voleo da vidim tu zastitu!

zastita.18 dejanr, 13 Dec 89

Ne znam za PC (verovatno samo patka) ali na VAX-u je zaista tako i stvarno se prave programi koji rade samo na toj mašini za koju su pisani! Hard disk doista ima neki "super nulti" sektor sa informacijama o modelu i tako to - ovo sam davno video u PC Magazine-u ali bi sada bilo prilično teško naći taj broj (kad nemaju RIND...) samo nešto mi se ne čini da je tamo pisalo bilo šta što bi bilo koliko toliko korisno. Ali za procesor, to je takva serijska proizvodnja da bih se kladio da nešto slično ne postoji. Mada opet na EPROM-ima postoji ali se iščitava samo pod visokim naponom (na programatoru) i u specijalnim uslovima. Sve u svemu ??????????

zastita.19 vkostic, 13 Dec 89

Ljudi su stvarno pokusali da me ubede da procesor ima svoj serijski broj. Ok, nije tesko zamisliti neku ne dokumentovanu naredbu koja bi u neki registar upisala serijski broj. Samo, onda bi svaki procesor bio unikat. Poznajuci proces proizvodnje integralnih kola, to bi bilo *hiper* skupo. Za hard disk? Mozda. Ne verujem u boot sektoru, ali mozda u tabeli particija. Ali, opet, ko kodeljuje taj serijski broj, i kako. Pa i ako dodeli, uvek se moze promeniti sa NU. Ipak, nije PC isto sto i VAX.

zastita.20 bpogacar, 28 Dec 89

Slažem se sa Zoranom i Dejanom, da ljudi ne kupuju neki software, jer im *u stvari* ne treba. Ali ako ustanovim, da mi je neki program strateški za poslovanje, onda ga svakako kupujem, jer mi je dojadilo čitanje loših i nepotpunih kopija uputstava, nepotpuni programi, raspitivanje o novim verzijama .... Ja mislim, da je u YU je situacija specifična, jer nimome ne pada na pamet, da plača program, koga je nekako dobio, iako ga redovno koristi i iako su na programu jasne oznake o copyrigt-u. Pri tome mislim na firme odnosno sve subjekte u društvenom sektoru, a isto i privatna poduzeća i zanat, jer sa ukradenim programom stvaraju veću dobit (smanjenje trošaka ili bolja organizacija rada, što je u konačnoj konsekvenciji isto). Ja mislim bi trebali platiti program kao a) autorsko pravo in b) participaciju odnosno interes za dalji razvoj programa (ako im Ver. 1.x služi, verovatno će im još bolje Ver. 1.y, i evo opet još optimalnije poslovanje). Druga je stvar za kučnu odnosno *ličnu* upotrebu. Tu se ne stvara nikakva dobit pa mi je svejedno, ako se (moj) program nosi kući. U stvari, još mi prija, jer to znači, da je dobar ... A kako je sa zaštitom ? Na žalost, verovatno stvarno nema KOREKTNE zaštite. Recimo, user pravi redovni unattended backup diska na tri trake. Nemojte mi samo reči da pre backupa deinstalira program ... I lepo mu padne FAT, formatira disk i naparavi restore ... Šta sada, ako ima program neku jaku zaštitu (recimo da je osjetljiv na poziciju)? Ili program, koji je osjetljiv na konfiguraciju, pa nabavim novi RS-232 za modem i zezne me program, koji je dosada lepo radio. Mogao bi ja otići tamo i srediti stvar. A zamislite da imam nekih 300xx usera ... Ova filozofija ne važi za veoma skupe (i rijetke) programe, koji imaju jači uticaj na poslovanje. A o tome je već bilo reči (vidi 22.4). Zato ja kao proizvođač programa ne volim zaštite. Dajem samo neke trivialne zaštite (DOS SET variable, neke BAT fileove za pozivanje, ...), samo toliko da mi stvarno SVAKA budala ne skine programa. A kao kupac upošte ne kupujem zaštićenih programa. Ne volim imati bombe u računaru. Mislim, da p o l a k o dolaze vremena, kad će i naše firme kupovati čak i domaće opšte programe, bar kod nas u Sloveniji se stanje izgleda normalizuje. Sad več par meseci nisam dobio ukradenog programa od kolega. A jedno tri sam u međuvremenu kupio ... *** sretna nova *** boštjan

zastita.21 dejanr, 30 Dec 89

Zanimljiv prilog iz prakse na temu ZAŠTITA. Ovih dana dobio sam na test program VIDEO 3.2 Zvonka Šiminića - radi se o bazi podataka koja bi trebala da olakša vođenje poslova neke videoteke. Disketa + uputstvo i ja, začudo, počnem od uputstva a tamo negde kaže: >> U program su ugrađene određene zaštite pa se unaprijed >> upozoravate na moguće posledice neovlašćenog kopiranja i >> korišćenja programa, u kojem slučaju autor ne preuzima nikakvu >> odgovornost. Tu ja odmah odlučim da program neću ni testirati al' rek'o ajd da probam kad je već tu. Startujem Flu Shot Plus, napravim direktorijum pa onda B:INSTAL (planiram da menjam ploču sutra pa sam nešto kopao po kutiji, A: je trenutno 3.5 inča). Neće moći, kaže program, mora da se instalira sa A. Tu ja sve po spisku, rasturim kutiju, prebacim kablove pa A:INSTAL. Neće moći, kaže program, disketa ne sme da bude write protected. Lepo, opet odgunđam, što su onda na nju stavljali write protect? Nego, mora da autor od mene očekuje da napravim backup pa da instaliram sa njega. Uradim DISKCOPY, stavim kopiju, A:INSTAL, u koji se direktorijum instalira, on nešto navali da piše po disketi (Flu Shot svaki put zaurla al' sve dok nije na disku, puštam ga da radi, šta me briga) i na kraju javi nekakav Error, u direktorijumu ni jedan EXE program. Aha, kažem ja, možda je zaštićeno, ajmo ipak sa originala. Skinem write protect, opet instaliram, ista meta isto odstojanje, ista greška! Da bi sve bilo još lepše, program svaki put kada se pogrešno instalira obriše samog sebe tako da mi je ostalo samo da frkim disketu i uputstvo da jedno lepo mesto. Naravno, program je stigao na test i ja nisam plakao za njim. Ali da sam ga kupio i platio pa da se ovako ponaša, ja bi ga autoru razlupao o glavu! Posle sam malo pogledao šta tu sve ima, program ZIP-ovan sa passwordom a kad kažeš DUMP INSTAL.EXE tamo negde u običnom ASCII kodu vidiš koji je password. Pa dobro, kad se već program štiti, zar to ne može malo bolje? A šta tek kažete na program koji se instalira na disk i onda obriše na disketi (čak i ako je sve u redu - piše u uputstvu); ako vam disk padne, ostaste bez programa! A ono članovi dolaze u video klub, ne vraćaju kasete...

zastita.22 vkostic, 30 Dec 89

Tako je to kada svako pokusava da zastiti svoj program. Zastita programa definitivno nije posao za amatere. Treba sve pazljivo isplanirati, uzeti u obzir sve varijante i mogucnosti (korisnik stavi disketu u drajv B umesto u A, itd), i napraviti takvu zastitu koja nece obrisati hard disk zato sto je u program upao virus, a on misli da je piratovan. Pozdrav, V.K.

zastita.23 dejanr, 30 Dec 89

>> Treba sve pazljivo isplanirati, uzeti u obzir sve varijante >> i mogucnosti (korisnik stavi disketu u drajv B umesto u A, >> itd), i napraviti takvu zastitu koja nece obrisati hard disk >> zato sto je u program upao virus, a on misli da je piratovan. ... ili treba uraditi nešto mnogo prostije, sigurnije i jef- tinije tj. ne štititi program. Do ovoga su odavno došli u svetu premda u Vladinom ranijem argumentu da je kod nas situacija drugačija ima dosta istine. Međutim, mislim da bi u datom slu- čaju najjednostavnija zaštita bila da se u program kodira ime i adresa videoteke koja ga je kupila (naravno, da ne bude baš čist ASCII koji u Nortonu bode oči) - teško da će neko na ovaj način reklamirati konkurenciju, a ne vidim ni šta će sa ispisom manj da koreksom briše zaglavlja!

zastita.24 vkostic, 30 Dec 89

>> Međutim, mislim da bi u datom slučaju najjednostavnija >> zaštita bila da se u program kodira ime i adresa >> videoteke koja ga je kupila. Da, za takav program, to bi bila odlicna zastita, i sasvim dovoljna. Pozdrav, V.K.

zastita.25 dejanr, 24 Aug 90

TITLE: SunView Security Hole Alert 8/14/90 To: cert-advisory@CERT.SEI.CMU.EDU Subject: SunView selection_svc vulnerability Date: Tue, 14 Aug 90 14:54:37 EDT From: CERT Advisory <cert-advisory-request@CERT.SEI.CMU.EDU> CA-90:05 CERT Advisory August 14, 1990 SunView selection_svc vulnerability ----------------------------------------------------------------------------- Sun has recently released a patch for a security hole in SunView. This problem affects SunView running on all versions of SunOS (3.5 and before, 4.0, 4.0.1, 4.0.3, and 4.1) and all platforms (Sun3, Sun4, 386i). This vulnerability allows any remote system to read selected files from the workstation running SunView. As noted below in the IMPACT section, the files that can be read are limited. This vulnerability is in the SunView (aka SunTools) selection_svc facility and can be exploited while SunView is in use; however, as noted below in the IMPACT section, this bug may be exploitable after the user quits using Sunview. This problem cannot be exploited while X11 is in use (unless the user runs X11 after running Sunview; see the IMPACT section). This problem is specific to Sun's SunView software; to our knowledge, this problem does NOT affect other vendor platforms or software. OBTAINING THE PATCH To obtain the patch, please call your local Sun Answer Center (in the USA, it's 1-800-USA-4SUN), and ask for patch number 100085-01. You can also reference Sun Bug ID 1039576. The patch is available for SunOS 4.0.1, 4.0.3 and SunOS 4.1, on Sun3, Sun4, and 386i architectures. Contact Sun for further details. IMPACT On Sun3 and Sun4 systems, a remote system can read any file that is readable to the user running SunView. On the 386i, a remote system can read any file on the workstation running SunView regardless of protections. Note that if root runs Sunview, all files are potentially accessible by a remote system. If the password file with the encrypted passwords is world readable, an intruder can take the password file and attempt to guess passwords. In the CERT/CC's experience, most systems have at least one password that can be guessed. Sunview does not kill the selection_svc process when the user quits from Sunview. Thus, unless the process is killed, remote systems can still read files that were readable to the last user that ran Sunview. Under these circumstances, once a user has run Sunview, start using another window system (such as X11), or even logoff, but still have files accessible to remote systems. However, even though selection_svc is not killed when Sunview exits, the patch still solves the security problem and prevents remote access. CONTACT INFORMATION For further questions, please contact your Sun answer center or send mail to security-features@sun.com. Thanks to Peter Shipley for discovering, documenting, and helping resolve this problem. ----------------------------------------------------------------------------- J. Paul Holbrook Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies other hours. Past advisories and other information are available for anonymous ftp from cert.sei.cmu.edu (128.237.253.5). [cert-advisory-request@CERT.SE

zastita.26 dejanr, 20 Feb 91

========== security/encryption #238, from forrie, 1654 chars, Tue Feb 19 13:07:13 1991 Comment(s). ---------- TITLE: DES encryption and Public Key method I have been informed that the US gov't HAS a way to actually crack anything encoded with the DES algorithm (hence a lot of rumors). Apparently this type of work takes a computer such as a cray and some time, but can be done. Assuming this is fact, it would appear logical as to why the US gov't adopted DES as the encryption standard: it's very secure, but they can still get in if they want. Has anyone else heard any of the information above? Unfortunately I don't have some real hard core evidence to back up this assumption: and I would think that such evidence would be hard to come by, if not life threatening! :) On the other hand, I have been told that the method of Public Key encryption is very secure. I was briefly explained to how it actually works. I wonder if there are some programs out there that would allow us to use such a method on a unix system? I would like to look into upgrading certain system programs to use such a method.... I saw one file in the listings area, but don't think it directly had to do with Public- Key. If anyone has some information of Public Key, please post it, or email me. (Thanks) Out of curiosity: I am aware that there are certain encryption programs here in the listings area that implement the DES algorithm, and it expressly says not to download this out of the country. As we all know there are many people from outside the US that dial in to BIX. There's not really a way to 'stop' people' from doing such, and most of these DES pd programs are available on BBS's everywhere... just a curious point. Thanks alot... happy encrypting. ========== security/encryption #239, from hamilton, 1155 chars, Tue Feb 19 13:35:45 1991 Comment to 238. Comment(s). More refs to 238. ---------- Public Key systems are not necessarily by themselves an encryption mechanism though some are implemented that way. A public key system by itself need only be a way of distributing the keys, which in turn might be used with a conventional system such as DES. So it's impossible to say whether a public key system is secure until you qualify it by saying which one you mean and what encryption system is used once you've distributed the keys. Speculation that the NSA or CIA (or pick your favorite spook agency) had the means to break DES has been around since DES was first introduced. Most often, the speculation is that there might be some trap-door mechanisms in the matrices used in DES that allow for a "master key" to be used. The basis of the speculation is that the research behind the matrices has never been disclosed either by IBM (the inventors) or by the government. That said, I don't know that anyone -- emphasis on _anyone_ -- of any stature in the field has claimed certain knowledge that a trapdoor exists. So far, claims that there really is a secret way to break DES are still in the same category as Elvis sightings, I'm afraid. ========== security/encryption #240, from forrie, 385 chars, Tue Feb 19 13:57:38 1991 Comment to 239. ---------- Heh heh: Elvis... a new encryption algorithm! :) Thanks for clarifying. Do you know where I might download or get more information regarding this Public-Key distribution? Yes, I see that this rumor has been around for a while... and I might deduct that the reason WHY we haven't heard of any actual 'holes' is because they do in fact exists and they don't want us to know that. :) ========== security/encryption #241, from roedy, 304 chars, Tue Feb 19 19:33:13 1991 Comment to 238. ---------- When the original debate was going on I heard some learned types point out the cracking was beyond current technology, but would be within the realm of plausibility for the very rich within ten years. They were suggesting something to hold secure a while longer. If you want security, use a one-write.

zastita.27 dejanr, 22 Feb 91

========== security/encryption #242, from forrie, 15 chars, Tue Feb 19 21:05:16 1991 Comment to 241. Comment(s). ---------- A 'one-write'? ========== security/encryption #243, from roedy, 502 chars, Tue Feb 19 21:19:57 1991 Comment to 242. Comment(s). ---------- By one-write I mean using your random key only once. XOR your key with your message and send that. The key must be as long as the message. Never reuse a key. That scheme cannot be cracked. The only way to defeat it is to cheat and peek over the shoulder of the users at each end, or intercept the secure courier who gets the keys to the recipient ahead of time, or . . . , but you cannot crack it just by studying the coded messages. You can send them over public channels with no worry at all. ========== security/encryption #244, from forrie, 383 chars, Tue Feb 19 23:02:20 1991 Comment to 243. Comment(s). ---------- I would like to develop standard public-key (secure) encryption in electronic mail. I is my opinion that email will eventually move to that area. All mail, whether USnail or email needs to be secure. Period. The only problem here is standardizing it ... and sometimes when you attemp to standardize things, you lose security. But it will be an interecsting project and concept. ========== security/encryption #245, from ssatchell, 269 chars, Wed Feb 20 03:56:16 1991 Comment to 240. More refs to 240. ---------- If you can find a library with back issues of Dr Dobbs, look in 1988 for a cookbook for RSA encryption schemes. It was a two-part article with a two-month delay for the second part. Sorry I can't be more specific, but my issues are about 280 miles away right now... ========== security/encryption #246, from ssatchell, 428 chars, Wed Feb 20 03:59:22 1991 Comment to 244. Comment(s). ---------- I'm planning to use DES encryption, but with multiple encryptions and much larger coding blocks. The idea is that a Cray could brute-force decrypt a message encoded with a single key, but the amount of CPU time required to decrypt a multi-key message involving large (64-byte) blocks of text increases by quite a bit. This is to protect Project Notify registration data when sending it from data switch to data switch... ========== security/encryption #247, from roedy, 24 chars, Wed Feb 20 04:33:41 1991 Comment to 246. ---------- What is Project Notify? ========== security/encryption #248, from hamilton, 2107 chars, Wed Feb 20 10:00:59 1991 Comment to 240. Comment(s). ---------- There are several public key systems that have been proposed. RSA is one, but it's not my favorite for a couple reasons: it's patented and Rivest and Shamir (the inventors) want some big fees and because it's designed as an integrated public key + encryption system, you wouldn't normally think of distributing keys with RSA and encrypting with something else, so it's somewhat inflexible in its design. Also, it's performance is much poorer than DES and less amenable to improvement using HW. Finally, it's been broken. (I mean really. Not like DES, where people suspect the NSA might have some secret way of breaking it even though no one else has been able to do it. With RSA, the method of breaking it, albeit fairly compute intensive, was published a couple years ago.) My own preference for a public key scheme would be the mechanism Martin Hellman and W. Diffie proposed in an article in IEEE Computer in 1976 (?). Sorry, I don't have the article easily available but its title was something like "New Directions in Cryptography" or something like that. (Maybe someone here can cite the reference.) I'm hazy after all these years how they did it but basically they had two one-way math functions (easy to calculate one way but nearly impossible to invert), one to produce public keys from private keys and one to take a public key + a private key and produce an encryption key. Each person choses a private key, runs it thru the first function and then tells everyone what his public key is. To send a message, you create an encryption key using your private key and your recipient's public key and use that key with something like DES. Your recipient calculates the encryption key using his private key and your public key. One nice side-benefit of a public key scheme is that it provides digital signatures: when you get a message, you know absolutely positively who sent it since no one else could have created that key. But I must warn you that public key systems do introduce a new point of attack. If that one-way scheme isn't as one-way as you thought, someone could crack it. ========== security/encryption #249, from bstrauss, 236 chars, Wed Feb 20 23:16:44 1991 Comment to 248. Comment(s). ---------- Can you give more details about the "cracking" of RSA? I wasn't aware of any *general* solution. There have been examples where large numbers have been factored, but I thought there were special cirumstances involved... -----Burton ========== security/encryption #250, from hamilton, 365 chars, Wed Feb 20 23:39:56 1991 Comment to 249. ---------- I wish I could remember, now. But it received (considering the special interest nature of the topic) quite wide-spread press coverage at the time. I don't think there was a newspaper left in the country that didn't carry a story about it. As I recall, I think it did have something to do with a new search strategy for factoring, but after that, I'm pretty hazy. ========== security/encryption #251, from ssatchell, 337 chars, Thu Feb 21 02:20:33 1991 Comment to 247. ---------- >What is Project Notify? Pointer to "disasters/project.notify", starting with message 1. Also a white paper is in "disasters/listings". If you wait too much longer, there will even be an up-to-date version of that white paper to read. Short answer: not-for-profit providing health and welfare message service during disasters. ========== security/encryption #252, from ssatchell, 171 chars, Thu Feb 21 02:22:07 1991 Comment to 250. ---------- Most of the RSA-cracking depends on supercomputers builting tables of factors for large numbers. 100-digit RSA is getting cheap to crack. 400-digit RSA is still safe... ========== security/encryption #253, from roedy, 273 chars, Thu Feb 21 03:49:12 1991 Comment to 248. ---------- I believe the trap door functions made the presumption it was very difficult to factor large numbers into prime factors rapidly. Somebody -- I think about six months ago, said they had found a new very rapid method of factoring, which makes the trap door method insecure.

zastita.28 dejanr, 23 Feb 91

========== security/main #1138, from hkenner, 1900 chars, Fri Feb 22 12:51:18 1991 ---------- TITLE: Littlewood's Cipher I post the following for what interest it may have. Edward Littlewood was reputedly the best British mathematician of his time (first half of 20th century). On p. 43 of *Littlewood's Miscellany* (1986) we find: The legend that every cipher is breakable is of course absurd, although still widespread among people who should know better. I give a sufficient example, without troubling about its precise degree of practicability. Suppose we have a 5-figure number N. Starting at a place N in a 7-figure log table, take a succession of pairs of digits, d1d'1, d2d'2 ... from the last figures of the entries. Take the remainder of the 2-figure number dnd'n after division by 26. This gives a "shift" sn, and the code is to "shift" the successive letters of the message by s1, s2, ... respectively. [Note: a "shift" of 2 turns 'k' into 'm', 'z' into 'b'.] It is sufficiently obvious that a *single* message cannot be unscrambled, and this even if all were known except the key number N (indeed the triply random character of sn is needlessly elaborate.) If the same code is used for a number of messages it could be broken, but all we need do is vary N. It can be made to depend on a date, given in clear; the key might e.g. be that N is the first 5 figures of the *tangent* of the date (read as degrees, minutes, seconds: 28 deg 12 min 52 sec for Dec 28, 1952). This rule could be carried in the head, with nothing on paper to be stolen or betrayed. If anyone thinks there is a possibility of the entire scheme being guessed, he could modify 26 to 21 and use a date one week earlier than the one given in clear. End of excerpt. As the specimen date indicates, Littlewood was writing in the days of log tables. The whole scheme ought to be easy to computerize. Any two people (Or small group) would simply agree on their scheme for encoding N. --HK.

zastita.29 dvidovic, 05 Mar 91

Jel` moze jedno pitanje? Skinuh pre neki dan novi CLEAN sa SEzama i odlucim da ga proverim. Imam hrpu malih fajlova zarazenih Vienna virusom koje su ranije verzije ovog prog. cistile bez problema. Medjutim, nova verzija sa tri fajla nije skinula isti, to jest upopste ga nije registrovala. Stari CLEAN (ver 6.0V64 ) je cistio bez ikakvih problema. Da nema novi CLEAN nekih problema? U svakom slucaju kod mene je jos uvek aktuelna stara verzijaĐą. Poz Dule

zastita.30 dejanr, 22 Mar 91

Ako nekoga ne mrzi da ovo download-uje sa BIX-a, mislim da bi moglo biti zanimljivo: ========== security/new.listings #81, from hshubs, 1111 chars, Wed Mar 20 13:16:50 1991 Comment(s). ---------- TITLE: Paper on encryption, from NIST. It's got _everything_ in there! ------------------------------------------------ crypt.zip 120832 Approx time: 0:16 at 2400 baud, 0:31 at 1200 baud Date: Wed Mar 20 13:10:40 1991 PUBLIC-KEY CRYPTOGRAPHY - James Nechvatal, Security Technology Group, NCSL, National Institute of Standards and Technology, December 1990 This publication presents a state-of-the-art survey of public- key cryptography circa 1988 - 1990. In doing so, it covers a number of different topics including: 1. The theory of public-key cryptography. 2. Comparisons to conventional (secret-key) cryptography. 3. A largely self-contained summary of relevant mathematics. 4. A survey of major existing public-key systems. 5. An exploration of digital signatures and hash functions. 6. A survey of public-key implementations in networks. 7. An introduction to zero-knowledge protocols and probabilistic encryption. 8. An exploration of security issues and key sizes. Keywords: PAPERS encryption issues publickey theory

zastita.31 ppekovic, 22 Mar 91

Evo ga fajl CRYPT.ZIP sa BIX-a ... Paya crypt.zip

zastita.32 dejanr, 23 Mar 91

>> Evo ga fajl CRYPT.ZIP sa BIX-a ... Hvala Payo!

zastita.33 bulaja, 04 Apr 91

Ima li neko iskustva sa hardlockovima (tj. donglovima)? Potrebno mi je da se mogu nabaviti u YU, da se kace na lpt port i ne prave probleme, da su mali i lepo izgledaju :),... U stvari, najvaznije je da rade.

zastita.34 dejanr, 12 Apr 91

========== security/main #1156, from david42, 887 chars, Sun Apr 7 07:17:46 1991 Comment(s). ---------- TITLE: Unusual Request I need a "friendly" cracker attack. I am currently testing some new bbs software. It has not been proven yet under attack from cracker attempts. I would like to get the help of one or two quality hacker types (which could be a reformed cracker) to attack the system at a pre-planned date and time. This way, I could be at the main facilities and can monitor the attempts and see where weaknesses in the software exist. I envision 3 levels of attack: 1. An attack in which the cracker knows nothing about the system. 2. An attack in which the cracker has obtained a name and password. 3. #2 together with detailed knowledge of the hardware, op sys and applic- ations software. For #3, I have to know this person *very* well and be able to trust him or her. But, if possible, I would like to do it. Any comments, suggestions and/or ideas? David ========== security/main #1157, from dave2, 478 chars, Sun Apr 7 20:50:32 1991 Comment to 1156. Comment(s). More refs to 1156. ---------- With properly implemented passwords nobody is going to get in, particularly if you have an appreciable delay after an invalid password attempt. In the Good Old Days, all cracker-types needed was a phone number. Most systems had no security at all. I periodically log into one Federal machine with four layers of passwords - mega-paranoia, but nobody is going to hack his way through two assigned passwords and two chosen passwords without the system administrator noticing. ========== security/main #1158, from cwills, 517 chars, Sun Apr 7 22:24:08 1991 Comment to 1157. Comment(s). ---------- Here is a method for making cracking a password even harder.. Add a delay between each attempt and keep increasing it. The first delay might be 0, the second 10 secs, the third 30 secs, the 4 a minute then just start doubling the time. If the line drops, remeber the account name and just pick up right were you left off. Most users that have "remembered" their password, but finger-check while typing it in won't mind the small delay. Oh.. once a user has logged on, reset the counter back to zero. Cheyenne ========== security/main #1159, from jriecke, 98 chars, Sun Apr 7 23:04:40 1991 Comment to 1156. Comment(s). ---------- What's your area code + exchange number? If your # is PCPursuitable, I would like to help there. ========== security/main #1160, from jriecke, 615 chars, Sun Apr 7 23:09:59 1991 Comment to 1158. Comment(s). More refs to 1158. ---------- Plus, make the system generate a warning message to the user automatically which can't be erased by the user, only by the sysop, telling that somebody has been attmpting to use his account. VERY IMPORTANT: Make the system allow only passwords larger than 6 characters and including somewhere, at least one number , PLUS make the pwd CASE sensitive. This helps a lot, since the number of possible combinations if MUCH higher.. The main problem at security systems are the lines being tapped.. You can have 4 layers password system and everything, but if someone if tapping your phone line, all this does not help. ========== security/main #1161, from david42, 156 chars, Mon Apr 8 02:48:01 1991 Comment to 1158. Comment(s). ---------- Thanks. I am using an increasing delay system for each invalid attempt with a logging feature. Glad to know I'm on the right track - at least in this area. ========== security/main #1162, from david42, 368 chars, Mon Apr 8 02:53:54 1991 Comment to 1160. ---------- Thanks, that is an excellent idea. I will implement it right away. Passwords are already alpha-numeric and case sensitive. We also have a way to monitor use patterns to spot anomolies. I like the idea of telling the user of attempts as it is very clever. BTW, the user has the ability to see his own on/off time log. Helps in tracking PC Pursuit total time used. ========== security/main #1163, from david42, 1106 chars, Mon Apr 8 03:02:57 1991 Comment to 1159. Comment(s). ---------- Thank you for the offer. The system is accessible via PC Pursuit on an outdial modem basis at 2400 baud access, 8 data bits, no parity, 1 stop bit. While I have made Tony Lockwood aware of my project and he has expressed no concern regarding it being competitive with BIX (to me it is not - we are moving in a different area) - it is a for profit venture and I think it would be inappropriate for me to post the number here. I have joined the bbs conference and have asked wheellock for the proper method to mention what I'm doing in the "recommended" topic over there. When I find out the proper way to proceed, I will post details there. Please BIXmail me with what you have in mind. If it seems reasonable, I will give you the number and we will set a time for you to experiment. I am willing to let a number of people experiment with "cracking" if they will be kind enough to work with me on it. That way, if a hole is found, then I can plug it. And, it might make sense to give out a few accounts to see if the system can be cracked by someone who subscribes and then does nasty things. David M. ========== security/main #1164, from yllar.17, 1686 chars, Mon Apr 8 05:06:01 1991 Comment to 1163. Comment(s). ---------- here's something ive ran across several times which makes guessing pw's a little easier..... when the system asks for a username/acct, and then a pw give no indication whatsoever whether the username or the pw is valid until they both match exacly.. example.. System asks for username... hacker types 'Joe' which is a valid user name... then the system ask s for a pw...hacker types 'whatever', the user name is correct, but the pw is wrong...so the system simply asks for the password again, giving the hacker a hint that there is a user acct called 'Joe' it should simply say 'username/password invalid' and ask for the username again...at least that way the hacker/cracker/??? has to work a tad harder to get in....and doestn' have a starting place... ive seen many many systems do that...same goes with acct numbers on bbs's....NEVER tell someone anything about the system until they enter a correct user/pw combo.. another thought, which is common...ask for the phone number they gave when signing up to the system... in the form 'Complete phone.... ###-####-???? DO NOT give the first portion of the number when asking the question for that matter, ask for the phone num right after the pw and check all three (or more) data at once, before telling the user anything..that ways, the hacker must get all three correct, or he doestn' get on he misses one, he has no idea which is wrong... concerning pw's...make em case sensitive... sure it's a little bit of a pain, but if someone happens to see the pw, and doesnt' know it's case sensitive, they might not be able to remember the case of the pq... just some common methods of protection...and common sense... L8tr :( ========== security/main #1168, from cwills, 924 chars, Mon Apr 8 17:22:15 1991 Comment to 1164. Comment(s). More refs to 1164. ---------- Another interesting security scheme that I have read about was a "rule" based system. Here the user is prompted with some sort of question that only the user would really know the correct answer for. The rules I believe where "made up" by the user. An example (if I can remember it correctly was) 1492? ==> america or 1492? ==> 16 Here the user during some prior logon session responded to some questions with some answers. Each logon brings up a different question from the pool with no question being allowed more then x times. The rules were not limited to specific questions/answers there were also rules that you were presented with groups of numbers or names and you had to perform some predefined operation on them (again the user defined the operation). The idea behind this idea is that even if the answer for a question was exposed, the system wouldn't use the same question again. Cheyenne ========== security/main #1169, from david42, 151 chars, Mon Apr 8 20:13:19 1991 Comment to 1164. More refs to 1164. ---------- Thanks. I give no indication about correctness until both name and password have been entered. Clever about the original phone #. I like that a lot. ========== security/main #1170, from david42, 219 chars, Mon Apr 8 20:16:30 1991 Comment to 1168. Comment(s). ---------- That is very "intelligent". You are actually asking the person to identify themselves by comparing their prior thought processes with their current ones. That may be overkill for my needs. But, it is a very good idea. ========== security/main #1171, from cwills, 331 chars, Mon Apr 8 20:38:18 1991 Comment to 1170. Comment(s). More refs to 1170. ---------- One of the more "interesting" security systems also "watched" your typing actions and remembered things like typing speed. Everyone has different speeds between characters, of misspelled words, etc. Though with todays micros frontending systems (ie using comm programs and "scripts" to logon with) such a system would be moot. ========== security/main #1172, from jriecke, 70 chars, Mon Apr 8 23:07:54 1991 Comment to 1171. ---------- Not to mention the delays of packet switching networks and satellites ========== security/main #1173, from bstrauss, 772 chars, Mon Apr 8 23:45:38 1991 Comment to 1164. Comment(s). More refs to 1164. ---------- Good idea is to prohibit all dictionary words. Best password I ever used was 'CHICAGOZ'. At the time I had system privledged accounts tho I was still a student and fellow students tried to get my pswd by watching my fingers. They all saw CHICAGO, but nobody ever caught the pinky hitting Z just an instant before I obviously hit the return key. Another important thing is to tell the users about their last session - many people will remember "gee, I wasn't on last tuesday, I was at the research center". Information like the date, time, session length and terminal used (especially if you have a TTY# that can be tied to a text file of locations): Last session, Tuesday, April 2, 1991, at 3:02AM Loged in for 73 minutes from TTY32 - Tymnet port 02 -----Burton ========== security/main #1174, from roedy, 69 chars, Mon Apr 8 23:54:31 1991 Comment to 1173. More refs to 1173. ---------- Perhaps even more meaningful is you were last logged on 4 hours ago. ========== security/main #1175, from jonr, 832 chars, Tue Apr 9 01:59:14 1991 Comment to 1164. More refs to 1164. ---------- Another point is that as very few users touch type, the name as wel l as the password should not be displayed as it is entered. What often happens is that you enter one item and fail to notice that it was not e accepted. You simply go on entering the password and it shows up for the incredible hulk and his brother to see in plain sight. If nothing was echoed except for encouraging messages (and perhaps asterisks) until your logon succeeded, this could be prevented. Where the system has to be penetrated from outside, the mere problem of determining the protocol for logging in is serious, before the password question arises. Of course, if you feel that ONLY the password should be hidden, you could demand its hidden entry first, then g o into visible mode for the name etc. (I prefer the all-hidden scheme, though) Jon ========== security/main #1177, from rjouett, 266 chars, Tue Apr 9 03:33:51 1991 Comment to 1164. Comment(s). ---------- I don't know about other unix systems, but when u do a "who" at the user-logon prompt on a pyramid system under BSD, you'll get a complete list of user-id's just as you would if yuu did a "who" while at a shell prompt. This brain-dead option should be removed. Randy ========== security/main #1178, from david42, 254 chars, Tue Apr 9 03:52:50 1991 Comment to 1173. Comment(s). ---------- Neat. I like ChicagoZ <grin> Seriously, the system I designed allows each user to review a complete log of his/her activity. But, your approach puts it up in front of them. No doubt my users will not review their log very often. Very good suggestion. ========== security/main #1179, from yllar.17, 322 chars, Tue Apr 9 06:18:03 1991 Comment to 1177. Comment(s). ---------- humm...i didnt' know that, but definately that should be nuked...even better...(and crueler), have a file that the sysmanager, can make up that will display when they do that who, that displays perhaps a fake bunch of users, or a nice little message (hello mr. hacker..please leave me along i dont' like you..) L8tr :( ========== security/main #1180, from rjouett, 492 chars, Tue Apr 9 06:29:23 1991 Comment to 1179. More refs to 1179. ---------- Actually, it was kinda nice. BTW, this was a few years back. I'm not sure if this problem still exists, in other words. The nice thing about it was that you could see if a friend was logged on; therefore, u cud logon and send him/her a message and log back off. Really nice feature, but a _big_ problem as far as security goes. BTW, I ask a friend in cbix to try it on his Sun, and he told me that it just asked for a password, so I guess that it could only be on sum flavors of Un*x. Randy ========== security/main #1181, from roedy, 67 chars, Tue Apr 9 14:17:59 1991 Comment to 1178. ---------- Placing zeros and 1s for O and I can also confuse people who watch ========== security/main #1182, from jbhines, 330 chars, Tue Apr 9 22:34:28 1991 Comment to 1161. Comment(s). ---------- Digital's VMS OS uses another means of catching password crackers, after XX attempts, it logs the action, and starts "breakin evasion" in which it disables the account for some random period of time. Thus, after 5 password failures, _no_ password will work, even the correct one, for about 10-15 minutes. -John ========== security/main #1183, from hshubs, 162 chars, Tue Apr 9 23:14:26 1991 Comment to 1182. More refs to 1182. ---------- VMS can also totally disable the username being tried until the System Manager takes action, and/or that terminal/username combination can be disabled, I think. ========== security/main #1184, from mbarbieri, 281 chars, Tue Apr 9 23:41:02 1991 Comment to 1179. ---------- Perhaps better than an anti-hacking message would be a list of fake user-ids that triggered an alert when used. The idea would be to keep the hacker occupied with something that he thought was working while you tried to figure out where he was or what he was up to. --> Mark <-- ========== security/main #1185, from agni, 234 chars, Wed Apr 10 00:36:16 1991 Comment to 1170. Comment(s). ---------- You want to get realy nasty? do the following: computer: 42 computer: ? The user needs to solve ax^2+bx+c to get the answer for the computer. you could automate this into a terminal program. and make it more nasty. +Agni ========== security/main #1186, from david42, 94 chars, Wed Apr 10 05:46:33 1991 Comment to 1182. ---------- That sounds like a good idea - disabling even valid passwords after so many invalid attempts. ========== security/main #1187, from david42, 114 chars, Wed Apr 10 05:48:11 1991 Comment to 1185. Comment(s). ---------- Clever - good if you have a comm program running on the calling computer and, that comm program can do the math. ========== security/main #1188, from agni, 174 chars, Wed Apr 10 21:58:22 1991 Comment to 1187. Comment(s). ---------- It is also good, in that if the equation is long enough, you are secure from many repeated observations. It is very difficult to do the factoring necessary. +Agni ========== security/main #1189, from bstrauss, 963 chars, Thu Apr 11 16:08:11 1991 Comment to 1188. ---------- I have seen, in magazine articles, this scheme blown out a bit. It's often called "Pass algorithms" and can be made very secure. One extension is to achieve access by demonstrating that you know the algorithm without divulging it across the link. (The weakness of a password is that a listener can see it, regardless of whether it's invisible or overtyped on you terminal - the letters must travel the link). The scheme works like this: The machine sends a stream of values to you. You process them through your (secret) algorithm and send back an answer. The security of the process depends on the number of ask/answer pairs. For example, you get a 5 digit number and reply 0 or 1. An intruder has a 50% chance of being right. The probibility of 10 or 50 or 500 right answers without knowing the algorithm is very small. This was proposed for all electronic use, i.e. in smart cards (how does the system know that the card is valid?)... -----Burton

zastita.35 yupc, 29 Apr 91

HELP U mojoj blizoj okolini se koristi STRESS program, ali posto je pisan namenski za jednu firmu, radi samo na AT 286 sa AMI BIOS-om iz 1987. god. Posto je oko mene pretezno 32-bitno drustvo i sa novijim BIOS-om ... Treba nam pomoc. Program je pisan u FORTRAN-u, (najverovatnije 3.31) i pred kraj (najverovatnije) poziva nesto na odredj- enom mestu u BIOS-u i ako ga nema ... nema ni izlaznih rezultata. Sa nestrpljenjem, YUPC

zastita.36 alazic, 29 Apr 91

> U mojoj blizoj okolini se koristi STRESS program, > ali posto je pisan namenski za jednu firmu, radi > samo na AT 286 sa AMI BIOS-om iz 1987. god. Posto > je oko mene pretezno 32-bitno drustvo i sa novijim > BIOS-om ... Treba nam pomoc. > Evo ti jedne ideje: Nadji jednu masinu na kojoj radi Stress program i njoj slicnu na kojoj ne radi. Zatim u nekom Debugeru izvrsi trace na obe masine tako sto ces logovati (tj u neku datoteku zapisati) CS:IP ili jos bolje samo IP a zatim uz pomoc nekoga programceta uporedi tok izvrsavanja, tj potrazi Úprve dve razlicite vrednosti IP-a. Mogu da se kladim da na predhodnoj adresi cs:ip se nalazi neki od Jxx -a . Toplo ti preporucujem da ga zamenis sa jednim JMP -om i to bi bilo sve (bar mi se cini). Jedini problem je u tome sto sam ja imao neki sklj debuger koji je hteo da log-uje cs:ip ali sam ga slucajno izbrisao. Moraces da se raspitas kod ostalih da li znaju za neki debuger koji to radi kako valja (turbo debugger v 1.0 (to je ona verzija uz TC 2.0) ne radi kako treba ... Dakle jedno pitanje : Da li neko ima ili zna za debugger koji moze da ispisuje u datoteku vrednosti IP-a ?

zastita.37 dejanr, 04 May 91

========== tojerry/long.messages #502, from hga, 7501 chars, Wed May 1 09:19:41 1991 ---------- TITLE: Potential *major* computer scandal This reached me from the Risks Digest, which is an Internet etc. email "Forum On Risks To the Public In Computers and Related Systems," which is sponsored by the ACM Committee on Computers and Public Policy and moderated by Peter G. Neumann. The item itself was forwarded from the USENET comp.dcom.telecom topic. Today's (1 May 91) issue of _The Wall Street Journal_ has an article on page B1 on the subject. Date: 26 Apr 91 19:09:50 GMT From: overlf!emanuele@kb2ear.ampr.org (Mark A. Emanuele) Subject: Prodigy or Fraudigy ??? I just downloaded this from a local bbs and thought it might be interesting. ### BEGIN BBS FILE ### [section on investigations of deceptive trade practices by the L. A. County District Attorney moved to next message; Prodigy is having a lot of problems because of their bait-and-switch, advertising the service as costing only 9.95 or so per month, and then adding a charge for email. I think they've already settled in Texas.] Prodigy: More of a Prodigy Than We Think? By: Linda Houser Rohbough [She is quoted in today's article in _The Wall Street Journal_, page B1] The stigma that haunts child prodigies is that they are difficult to get along with, mischievous and occasionally, just flat dangerous, using innocence to trick us. I wonder if that label fits Prodigy, Sears and IBM's telecommunications network? Those of you who read my December article know that I was tipped off at COMDEX to look at a Prodigy file, created when Prodigy is loaded STAGE.DAT. I was told I would find in that file personal information from my hard disk unrelated to Prodigy. As you know, I did find copies of the source code to our product FastTrack, in STAGE.DAT. The fact that they were there at all gave me the same feeling of violation as the last time my home was broken into by burglars. I invited you to look at your own STAGE.DAT file, if you're a Prodigy user, and see if you found anything suspect. Since then I have had numerous calls with reports of similar finds, everything from private patient medical information to classified government information. [Note: the WSJ article also mentions the file CACHE.DAT, as does a item below.] The danger is Prodigy is uploading STAGE.DAT and taking a look at your private business. Why? My guess is marketing research, which is expensive through legitimate channels, and unwelcomed by you and I. The question now is: Is it on purpose, or a mistake? One caller theorizes that it is a bug. He looked at STAGE.DAT with a piece of software he wrote to look at the physical location of data on the hard disk, and found that his STAGE.DAT file allocated 950,272 bytes of disk space for storage. Prodigy stored information about the sections viewed frequently and the data needed to draw those screens in STAGE.DAT. Service would be faster with information stored on the PC rather then the same information being downloaded from Prodigy each time. That's a viable theory because ASCII evidence of those screens shots can be found in STAGE.DAT, along with AUTOEXEC.BAT and path information. I am led to belive that the path and system configuration (in RAM) are diddled with and then restored to previous settings upon exit. So the theory goes, in allocating that disk space, Prodigy accidently includes data left after an erasure (As you know, DOS does not wipe clean the space that deleted files took on the hard disk, but merely marked the space as vacant in the File Allocation Table.) There are a couple of problems with this theory. One is that it assumes that the space was all allocated at once, meaning all 950,272 bytes were absorbed at one time. That simply isn't true. My STAGE.DAT was 250,000+ bytes after the first time I used Prodigy. The second assumption is that Prodigy didn't want the personal information; it was getting it accidently in uploading and downloading to and from STAGE.DAT. The E-mail controversy with Prodigy throws doubt upon that. The E-mail controversy started because people were finding mail they sent with comments about Prodigy or the E-mail, especially negative ones, didn't ever arrive. Now Prodigy is saying they don't actually read the mail, they just have the computer scan it for key terms, and delete those messages because they are responsible for what happens on Prodigy. I received a call from someone from another user group who read our newsletter and is very involved in telecommunications. He installed and ran Prodigy on a freshly formatted 3.5 inch 1.44 meg disk. Sure enough, upon checking STAGE.DAT he discovered personal data from his hard disk that could not have been left there after an erasure. He had a very difficult time trying to get someone at Prodigy to talk to about this. -------------- Excerpt of email on the above subject: [this next section lowercased for my eye's convience] there's a file on this board called 'fraudigy.zip' that i suggest all who use the prodigy service take ***very*** seriously. the file describes how the prodigy service seems to scan your hard drive for personal information, dumps it into a file in the prodigy sub-directory called 'stage.dat' and while you're waiting and waiting for that next menu come up, they're uploading your stuff and looking at it. today i was in babbages's, echelon talking to tim when a gentleman walked in, heard our discussion, and piped in that he was a columnist on prodigy. he said that the info found in 'fraudigy.zip' was indeed true and that if you read your on-line agreement closely, it says that you sign all rights to your computer and its contents to prodigy, ibm & sears when you agree to the service. i tried the tests suggested in 'fraudigy.zip' with a virgin 'prodigy' kit. i did two installations, one to my oft used hard drive partition, and one onto a 1.2mb floppy. on the floppy version, upon installation (without logging on), i found that the file 'stage.dat' contained a listing of every .bat and setup file contained in my 'c:' drive boot directory. using the hard drive directory of prodigy that was set up, i proceded to log on. i logged on, consented to the agreement, and logged off. remember, this was a virgin setup kit. after logging off i looked at 'stage.dat' and 'cache.dat' found in the prodigy subdirectory. in those files, i found pointers to personal notes that were buried three sub-directories down on my drive, and at the end of 'stage.dat' was an exact image copy of my pc-desktop appointments calender. check it out for yourself. ### END OF BBS FILE ### I had my lawyer check his STAGE.DAT file and he found none other than CONFIDENTIAL CLIENT INFO in it. Needless to say he is no longer a Prodigy user. Mark A. Emanuele V.P. Engineering Overleaf, Inc. 218 Summit Ave Fords, NJ 08863 (908) 738-8486 emanuele@overlf.UUCP

zastita.38 dejanr, 10 May 91

========== security/main #1246, from roedy, 1169 chars, Sun May 5 19:18:20 1991 Comment to 1241. Comment(s). ---------- I invented what I consider some of he most fiendish code ever written to give pirates a nervous breakdown. I talked with the boss about have a tattletale, which would have be very easy to do, since the progarm tied into the packet nets every time it was used. They decided they did not want to be involved with the legal issues. They figured what I had done already -- which allowed copying, but not use by another person was sufficient. The basic idea was I burned the guy's account number into it in a way that could not be modified. If he gave it away, he was giving away his credit card. The anti piracy was a set of rings, each harder to crack than the first. Each time he thought he had cracked it, only to find out later he had not. Each ring was tougher to crack because the axe fell less frequently. Even if he did manage to crack the entire thing, he would never know if I has yet one more level waiting. The program was quite complicated on its own. However I added red herring fields and computed with them in ways similar to the way the real fields were done. In the source this madness is quite well marked. But in the object, is is just baffling. ========== security/main #1247, from rbabcock, 480 chars, Sun May 5 23:06:10 1991 Comment to 1240. Comment(s). ---------- I use a CAD program with a parallel port dongle for copy protection. The first time I tried it, it failed because the parallel port had been disabled because of an IRQ conflict. Later, the parallel port failed because of a huge dust bunny in the bus socket. Out local sales rep says that some users have had the keys fail. In all of these cases, self-destroying software would not have been appreciated. (What it actually does is give a message and turn itself into a demo.) ========== security/main #1248, from sje, 841 chars, Sun May 5 23:25:46 1991 Comment to 1247. Comment(s). ---------- Note that various computer magazines carry third party advertisements for software cracks that bypass security dongles like you describe. These ads seem to always come from firms outside the US (usually in Canada). Not too long ago there was a fairly complex DNA sequencing utility that used a silent form of copy protection. If the program desided that it was an unofficial copy, it would subtlely introduce errors in its nucleotide sequence output without any warning. Take a minute and think about the horrible consequences that could be caused by an unintentional mistake by a biolab technician. The company was rightfully denounced in the periodic biotech literature, and I wouldn't be surprised if they were put out of business. Certainly, they would never be able to get commercial liability insurance at any price. -- Steve ========== security/main #1249, from rbabcock, 104 chars, Sun May 5 23:29:50 1991 Comment to 1248. Comment(s). ---------- I actually like the dongle. It means that I can take the software home for use without feeling guilty. ========== security/main #1251, from hshubs, 112 chars, Sun May 5 23:30:50 1991 Comment to 1249. More refs to 1249. ---------- Why should you feel guilty about using software you purchased? Dongles can be a major pain in the arse, IMHO. ========== security/main #1252, from sje, 366 chars, Sun May 5 23:34:52 1991 Comment to 1249. Comment(s). ---------- If you have paid for the original software and are only using it on one machine at a time, why should you feel guilty at all? Current copyright law allows for "fair usage" with a provision for making a limited number of copies for private usage. As long as the originator is not being deprived of potential income, there is no legal (or moral) problem. -- Steve ========== security/main #1253, from roedy, 262 chars, Sun May 5 23:45:54 1991 Comment to 1250. Comment(s). ---------- I think the proper solution is to have the CPU have an instruction that coughs up an unique serial number as well an the cpu type -- SX , 386 etc. Then you go through an install process to make software run only on one machine, or logically move it to another. ========== security/main #1254, from hshubs, 177 chars, Sun May 5 23:50:52 1991 Comment to 1252. Comment(s). More refs to 1252. ---------- Some licenses even say that they don't care how many machines you have the software on, as long as only one copy is being used at a time. Those are the most reasonable, IMHO. ========== security/main #1255, from hshubs, 72 chars, Sun May 5 23:59:31 1991 Comment to 1253. ---------- Doesn't help, since you can always reinstall from the original master. ========== security/main #1256, from sje, 1157 chars, Mon May 6 00:02:42 1991 Comment to 1254. Comment(s). More refs to 1254. ---------- That sounds reasonable to me, too. These companies get the first chance at my business. Dongle Anecdote: During a business flight last year from Boston to LA, I happened to be seated next to a woman who held a fairly high position at a software company that produced an expensive AI utility. I was quite familiar with the program as I had used a legal copy where I worked at the time. I just couldn't resist telling her about how easy it was to defeat the dongle that was supposedly required for the product. (No, I won't give details here on BIX, so don't ask.) I encouraged her to use personalization and/or "look it up in the manual" protection instead. She replied that she would certainly look into the matter; she herself was not too thrilled with the dongle because of the failure of a fairly important demo at a serius commercial exhibition. It seems that the staff had gotten the computer, the software, the power hook-up, the manuals, and just about everything else correct, yet the demo failed miserably. Guess which component was missing? "Hoist by Thy Owne Petard", as Chaucer would say. I chuckled over half of Iowa. -- Steve ========== security/main #1257, from j_mcarthur, 1576 chars, Mon May 6 00:59:30 1991 Comment to 1246. Comment(s). ---------- [comment to roedy Sun May 5 19:18:20 1991] Just a question, how much time did it take to add the copy protection? Now multiply that figure by what they pay you plus the cost of overhead and such. Now is that figure larger or smaller than the amount you would have lost if you did not copy protect? I know from my own experience that copy protection cost a lot more than it saves. I developed a product that upper management decided to copy protect. It turns out that there was a "mis-wording" in the documentation. Nothing really wrong; just poorly described. Anyway, when a user ended up using the program they would get a message that would refer them to the manual. They would read the manual and get the wrong idea. Then they would call the company (on our 800 number) and ask for customer support. We did a survey. 100% of our customers called the customer support line because of the copy protection. In one way or the other, the copy protection caused them inconvenience and they called us about it. Later the company designed yet another product that they wanted to have hardware copy protection on. The hardware engineers spent weeks on this one. Ended up having to upgrade the logic software (the PAL was too complex). It took them three tries to get the little circut board correct. Finally the product shipped. In over a year they sold a total of 12 of them. The cost of the copy protection vastly exceded the profits from the sale. From my experience, the time spent on copy protection does not equal the supposed savings. Jeffrey McArthur ========== security/main #1258, from hamilton, 275 chars, Mon May 6 01:05:51 1991 Comment to 1252. Comment(s). ---------- Fair use does not mean you can copy the whole thing. And copyright law does not mean you could copy a program onto several machines so long as only one is used at a time. If you do that, you are depriving the copyright owner of rightful income and you're breaking the law. ========== security/main #1259, from hamilton, 327 chars, Mon May 6 01:11:22 1991 Comment to 1254. ---------- Those are the so-called "portable licenses". But consider that the vendor has to cover all his costs and still produce a profit one way or another. So if he collects less revenue from folks that take advantage of that portable license provision, he may well have to charge more on every copy he does sell to make up for that. ========== security/main #1260, from sje, 766 chars, Mon May 6 01:16:57 1991 Comment to 1258. ---------- Copyright "fair use" does allow for making a limited number of copies for archival purposes. This is explicitly stated on quite a few licenses I've seen. There are additional instances of such "fair use" that cover academics and repositories, although these are not pertinent to this subject. Obviously, if the office computer is an archive site, there is no problem in using a copy at home -- AS LONG AS ONLY ONE COPY IS IN USE. The operation is no different from de-installing the office copy and re-installing it on the home machine as needed. The archive site changes at well defined times, and no income is lost because no sales are lost. It would be impossible to collect on a copyright violation if there is no violation in the first place. -- Steve ========== security/main #1261, from roedy, 881 chars, Mon May 6 01:55:52 1991 Comment to 1257. ---------- The program was NOT copy protected. You could make all the copies you wanted. The proctection was completely invisible to the end user. Only a hacker could ever have even detected it. It did not add much overhead. The program was one unlikely to be stolen for several reasons. It did not take me all that much time to concoct -- perhaps only 3 days. Basically each copy had an account number with an online database burned into it. There was no menu item for changing it. Hackers could try finding it and changing it, but they would fail. By the time they did crack it, they might as well have written their own code. Further the crackers had no idea of what safeguards in addition were built into the main database computer they accessed. The program was a stock charting package that tied into the Globe and Mail database. It was the first Canadian Mac package written. ========== security/main #1262, from j_mcarthur, 307 chars, Mon May 6 02:15:15 1991 Comment to 1256. ---------- [comment to sje Mon May 6 00:02:42 1991] I will make a comment about ease of defeating "dongles". I used to work for a company that had quit a bit of developement hardware. That included in-circut-emulators and logic analysers. You can defeat any dongle if you have that combination. Jeffrey McArthur ========== security/main #1300, from hkenner, 623 chars, Tue May 7 22:53:48 1991 Comment to 1298. ---------- Check out Borland's "No Nonsense" agreement with Turbo Pascal, C, Assembler, Debugger, etc. It explicitly allows you to make copies as you please, so long as there is *no possibility* of copies being run on different machines by different people at the same time. What Borland clearly means to obviate is the situation where 2 or more people are running the same application, only one copy having been bought. I have Turbo Pascal on two machines (laptop & desktop) and feel perfectly comfortable with the agreement I signed, since no one but me under this roof uses a computer, and I can only use one at a time. --HK ========== security/main #1307, from hamilton, 413 chars, Wed May 8 00:29:05 1991 Comment to 1300. ---------- So what's your point? Any vendor is certainly entitled to give away whatever rights to his product he wants. But that doesn't mean anyone else has to do the same. Borland's word isn't law. Matter of fact, the whole shrinkwrap license stuff is bogus. I'm satisfied (based on the discussion I got into over in the law conference last year) that they're unenforcable. Right now, it's purely a copyright issue. ========== security/main #1308, from roedy, 477 chars, Wed May 8 00:32:31 1991 Comment to 1299. More refs to 1299. ---------- There is no need to stop piracy dead in its tracks. We simply want to get it down to the levels of participation comparable to car theft. Right now the MAJORITY of computer users are pirates. If users had to install an illegal device in their machine, and it there was a good chance they would miss out on updates, get caught by an auditor -- just as postage meter cheats do, then piracy would drop to a dull roar and the problem would no longer be economically significant. ========== security/main #1309, from roedy, 243 chars, Wed May 8 00:34:46 1991 Comment to 1301. Comment(s). ---------- Then I suggest you buy flat-use only software that does not need to know your usage. I would think you would want companies to know you think their product is a dog -- in a way they can see very clearly without having to write them a letter. ========== security/main #1310, from roedy, 266 chars, Wed May 8 00:37:01 1991 Comment to 1302. ---------- I think this should be flexible. You are paying for: 1. the right to use on N machines. 2. H hours of total use. 3. S hours of simultaneous use. Your bill can be a formula involving N H and S with volume discounts, flat rates, discounts for years of faithful use. ========== security/main #1311, from roedy, 805 chars, Wed May 8 00:42:58 1991 Comment to 1303. Comment(s). ---------- The reason I am keen on burning the serial number into the CPU is that it can be made more difficult to counterfeit. Code can repeatedly ask the serial number and time how long it takes. A faker would have a hard time providing it as quickly as the CPU. A ROM is easily faked by any teenager. The idea is to make the counterfeiting technology expensive and illegal -- just the way it is illegal to sell equipment to cheat on postage meters. Further with a single money collection scheme - perhaps handled by Visa or Mastercard, the huge resources of such companies can be brought to bear on cheaters and those who would try to sell counterfeiting equipment. Right now, tiny companies like my own, have no chance stopping big companies like Rockwell when they BRAZENLY ond OPENLY steal my software. ========== security/main #1312, from dzenc, 261 chars, Wed May 8 00:48:00 1991 Comment to 1311. Comment(s). More refs to 1311. ---------- Software is trivial to modify. Someone trying to break security will (if he's smart) always attack the weakest link. Make the hardware as hard as you want to duplicate/crack, somebody will modify the software so it doesn't look at the hardware anymore. -Dan ========== security/main #1313, from dzenc, 361 chars, Wed May 8 00:51:49 1991 Comment to 1299. Comment(s). ---------- The problem is that in the end, it's still just software. IF you tie some necessary (and non-trivial) piece of hardware to it, then you can prevent copying. The key word is necessary. If the hardware isn't necessary, than any two bit hacker can remove the dependancy, entirely in software. And software is IMPOSSIBLE to track (As can be plainly seen) -Dan ========== security/main #1314, from roedy, 1156 chars, Wed May 8 00:57:01 1991 Comment to 1306. More refs to 1306. ---------- The benefits to the user of rental vs purchase, even when the "rental" is a one time fee that gives you unlimited use for life, are: 1. You get upgrades automatically. 2. You cannot "lose" your software. 3. Your software cannot be stolen. 4. You can use your software anywhere in the world, even if you forgot to bring it with you. 5. You can use your software on any machine. Billing keeps track of what you did. If you need to temporarily have two working copies, you can just start using them, -- PERFECTLY legally. You don't have to order a second copy. If you don't give the vendor all the money up front, (i.e. rent) the advantages are: 1. It is an incentive to the vendor to keep improving the product or you will switch to a competitor. 2. You can cheaply try out competitors for extended tests. 3. It costs you less if your usage is low. 4. It costs you less if you stop using the program for some reason. 5. It makes vendors more responsive to the needs of the EXISTING customer base, rather than spending all their efforts suckering in new customers with flashy but useless new features. ========== security/main #1315, from roedy, 325 chars, Wed May 8 00:58:38 1991 Comment to 1306. Comment(s). ---------- "get the two together" By this I mean, your computer phones the Visa people once a month to get the billing straightened out. All your computers must report at least once a month. It is just like getting your electric meter read. If you don't pay the bills, they turn off the juice -- except on the programs you "bought". ========== security/main #1316, from roedy, 397 chars, Wed May 8 01:01:10 1991 Comment to 1312. ---------- with hardware assist that is FAST, it is possible to create security systems that are for more difficult to crack that to write from scratch. When you can guarantee the computer will report into Mom (big brother) once a month if it wants to stay connected with the world of updates, the pirate's job is infinitely more difficult. Part of the key is having a central powerful anti-piracy body. ========== security/main #1317, from roedy, 204 chars, Wed May 8 01:02:42 1991 Comment to 1313. Comment(s). ---------- If the copy protection were woven into every single module, and if any disturbance provided a delayed reaction failure, I promise you "any two bit hacker" would be in a padded cell before he cracked it. ========== security/main #1318, from dzenc, 605 chars, Wed May 8 01:14:04 1991 Comment to 1317. Comment(s). ---------- If there is a central computer that is necessary in some way (using your example: for regular updates) then it can be tracked. The problem is, once the hacker has the software, and isolates himself from the server (forgoing anything the server has to offer), he can do whatever he damn well pleases to the software, take as long as he likes to do it, and make as many mistakes as he wants without being tracked. Once the first generation of copy protection for a given piece of software is broken, updates (which can be obtained by using an unhacked copy of the software) are simple to deprotect. -Dan ========== security/main #1319, from roedy, 338 chars, Wed May 8 01:46:19 1991 Comment to 1318. Comment(s). ---------- Individual hackers are NO threat. Even if the hacker does isolate himself, this theft is of no economic consequence. He is NOT going to be very successful convincing many other people to cut themselves off from the endless stream of goodies, and risk a call from the VISA credit dept to see why the computer has not checked in of late. ========== security/main #1320, from dzenc, 316 chars, Wed May 8 01:52:07 1991 Comment to 1319. Comment(s). ---------- What amazing goodies can you offer? As things are right now, it is obvious that MANY people are willing to give up a lot of the benefits of owning software (tech support, updates, etc.) in exchange for not shelling out any money. Pirates do get the updates too. It may take a while, but they will get them. -Dan ========== security/main #1321, from roedy, 592 chars, Wed May 8 02:09:16 1991 Comment to 1320. Comment(s). More refs to 1320. ---------- let us say that a pirate creates a "liberated" version of Lotus 123. let us say the pirate posts a "Liberating" program on a number of BBSes. Lotus does not have to stand still. Instantly it can issue an update with a defence, and automatically install it. Further I suppose the authorities could get a global search warrant to scan all computers for the pirated copy. It would be tacked onto the normal billing connect. Perhaps you have heard, ANI is coming. This means BBSes can know the phone numbers of callers. This will make life more difficult for pirates to remain anonymous. ========== security/main #1322, from checker, 347 chars, Wed May 8 02:09:48 1991 Comment to 1320. Comment(s). More refs to 1320. ---------- I have to agree. I think the very nature of a 'programmable' computer makes it impossible to protect. I think the solution, which was hinted at earlier, is to make the goodies so good, that the person 'wants' to pay for it. The quickening pace of business will help this, because pirates won't be able to afford the delay in getting updates. ========== security/main #1323, from roedy, 1083 chars, Wed May 8 02:16:09 1991 Comment to 1320. Comment(s). ---------- You imagine that the system I envisage will be as easy to bypass as those silly copy protected disks, where the very nature of the test makes it so slow it can only be done in a few places in ways that stand out like sore thumbs. With CO-OPERATION from the chip manufacturer, you can create schemes that require the resources of another chip manufacturer to crack. So long as the sale of such devices has no practical use other than theft they can be made illegal. By having a powerful body such as VISA, have a vested interest in prosecuting pirates, the problem will be over, and SOFTWARE PRICES WILL PLUMMET! Why? Because PIRATES, millions of them, will join the legitimate user base. THEY won't stand for these outrageous prices. This will create a vacuum for decent, low cost software. Many vendors will rush to fill it. Then LEGIT users, will switch. Why pay those inflated prices? Finally, bowed and bloody, the Lotuses of the world will have to compete on a level playing field. They will have to drop prices, improve performance, and compete on superior support.

zastita.39 dejanr, 10 May 91

========== security/main #1324, from roedy, 593 chars, Wed May 8 02:19:27 1991 Comment to 1322. Comment(s). More refs to 1322. ---------- There are currently NO penalties for theft, and a severe penalty for honesty, paying inflated prices. If you just squeeze a little, by raising the penalties just a bit for theft, and lower the penalties for honesty, by spreading the costs over a larger base, then more people will decide to go straight. I read an article in a lotus Magazine where they estimated something like one in 10 copies was legit. If everyone paid the price could be ten times lower, and Lotus would still make just as much money. If they kept the price high, somebody ELSE could produce a clone at ten times less. ========== security/main #1325, from checker, 371 chars, Wed May 8 02:27:29 1991 Comment to 1324. More refs to 1324. ---------- I think the punitive viewpoint is the wrong way to go about it. Of course, pirates should be punished, but a proactive policy would be much more effective in my view. Look at the psychology behind pirating: a 'me' based way of thinking. Now, turn this way of thinking to your ends (instead of trying to change the people) by offeringthem something they can't refuse. ========== security/main #1326, from roedy, 1172 chars, Wed May 8 02:38:04 1991 Comment to 1324. ---------- I think the way to do this is to offer an incredible smorgasbord of programs, programs you can try out for just a few cents, with no install hassles, and pay nothing if you don't continue to use them. The system is just about impossible to break -- at least as hard as say breaking an automated teller machine. Many vendors might offer 2 month free trial, or money refunded if you stop using after a month. Subscribers have an online help service so right in the middle of a program, they can ask a question that gets answered by a human, who might just direct them to a spot in the online manual. I am thinking a little future here, where all machines have modems and something like an ISDN connect. I am a Shareware author. Very few people ever write more than one shareware program. The humiliation of having two registrations for something you laboured a month over is just too much. Shareware authors will greatly benefit. People who use such programs may sign up for trivial fees of pennies a month, but it all adds up. This means many many more people will start writing TRIALWARE -- try before you start to pay -- but it is NOT free, just very cheap. ========== security/main #1327, from daharvey, 654 chars, Wed May 8 02:41:03 1991 Comment to 1309. Comment(s). ---------- I guess, given what I do for a living, they do know in a way they can see very clearly without my having to write them a letter just exactly what I think of their product. ;-) Seriously, though, your idea, while a smart way to approach it, just seems too over-extended. The notion of needing to monitor something you sell is kind of defeating the whole point. It puts your customer in the position of being "the naughty child," which is not going to cause much delight among users. Further, it will be, business as usual, the larger companies who can afford this sort of schene. I really don't see it protecting the shareware, or second-tier offer. ========== security/main #1328, from roedy, 923 chars, Wed May 8 02:53:31 1991 Comment to 1327. Comment(s). ---------- Are you a naughty child when you own a postage meter? There are great benefits to staying it touch with the vendor. 1. Bug fixes come automatically. 2. Installs are HIS problem. (I am imagining an architecture quite a bit more advanced than the PC to support this.) 3. Evolving online help that evolves weekly as the support people discover where people are getting caught or where the docs are ambiguous. The #1 reason I prefer rental to purchase is that I can PUNISH the vendor at any time, by moving to a competitor. If I purchase I have given away all my clout. Right now vendors ignore their installed base and put in stupid features that slow the product down, and ignore the pleas of existing customers for features that would not be easily touted in a sales brochure. Right now my only clout with the vendors I have already bought from is writing about the products -- scaring off new users. ========== security/main #1329, from hshubs, 97 chars, Wed May 8 09:26:09 1991 Comment to 1315. Comment(s). ---------- So someone modifies the reporting code to say that you didn't use it much or at all that month. ========== security/main #1330, from hshubs, 592 chars, Wed May 8 09:30:55 1991 Comment to 1321. ---------- 1) I don't know about you, but _I_ don't want Lotus or any other company loading software on my machine without my being able to do things like scan it for viruses. I also don't know of too many people who'd want to risk getting major bugs without being able to revert to a previous version. 2) You really want "the authorities" to be able to get onto your machine(s)? Right now, that means that they confiscate the whole machine, including data, paper, printers, disks, monitors, and anything else they think might be related. 3) Have you ever heard of pirate BBSs? ========== security/main #1331, from dzenc, 1026 chars, Wed May 8 12:52:34 1991 Comment to 1323. ---------- You seem to think that tying the protection to the hardware and making it X times more diffucult to break will stop people from breaking it. This is just false. There are people who ENJOY breaking protection just for the mere pleasure of outwitting the creator. Once you have one copy broken, anyone who wants it can get a copy. It is obvious that pirates are willing to expend time and energy to avoid paying. Someone will modify the transfer software so that it backs up before updates. Or, pirates will just ignore the standard network all together, and just pass around complete copies of the cracked program. Just like they do now. As to the idea of Lotus in my computer monitoring me at all times, I think its a great idea. In fact, lets stop all crimes! We can just put video cameras everywhere and have an AI system that detects illegal activites. Have an AI court that looks at the tapes, determines the punishment and implements it. Boy, that would save a lot of time & money, don't you think? -Dan ========== security/main #1332, from jgoldblatt, 1578 chars, Wed May 8 19:34:33 1991 Comment to 1287. Comment(s). ---------- The real question with piracy is how to get software paid for. Essentially what is going on is that there is a totally automatic manufacturing process that is available to everyone. The cost of the product is incompatible with the cost of manufacture. I think that the long term solution is a way of allowing users to pay the authors a royalty for each copy made, that is small and easy to pay. Possibly a clearing house like the music publishers have where you could dial in or up and give the product id and a credit card number and a count and be allowed to make legal copies. Then the people who like the support and the binding and the slick paper could pay for it. Would also encourage vendors to be more imaginative in their marketing. I would really like to buy a subscription from some places, where I would just get the latest and greatest (or at least the least stable) automagically. The only guys who would get screwed would be the niche market users, where there isn't enough of a market to justify a large development for a small per user profit. Of course, the answer to that is making easily customizable software. Make a bet that there are less than ^[10 basic types of businesses to computerize and that there are lots of all types. Jonathan P.S. Haven't changed to the real editor yet. On subscriptions, would also like to fund future development and have a say in what they are. Change from a manufacturing and distribution company to a development and service company and let the users do their own distribution and manufacture. ========== security/main #1333, from agni, 602 chars, Wed May 8 19:40:19 1991 Comment to 1322. Comment(s). ---------- all this fuss over the pirate.. Huh.. I bet your wasteing your time. Pirates don't USE the software.. I know A fellow that filled up his disk with tons of software.. all pirated.. and He doesn't use 1/10 of it I asked him why.. And he said because it's there, and neat to have. SIGH... In my teen years I pirated lots of stuff.. and guess what.. after 2-3 hours it got boring.. Tell me how you can justify a $30 program that is only interesting for a few hours? I've been there.. Your getting advertiseing that way. Want them to buy? update frequently, and criple pirated copies. +Agni ========== security/main #1334, from j_mcarthur, 3880 chars, Wed May 8 20:05:43 1991 Comment to 1328. Comment(s). ---------- [comment to roedy Wed May 8 02:53:31 1991] >1. Bug fixes come automatically. No way are you ever going to get me to use this. Bug fixes should NEVER be automatic. I have seen updates that "supposedly" fixed one or two known bugs but that introduced three or four more that broke the code all to h*ll. One compiler I was using had a bug. I found it and reported it. Meanwhile I coded around the problem. When the "bug fix" was release, that bug was fixed. But several other bugs appeared. Every time a vendor releases a new version it took me up to a month to get the code to run under the new version. >2. Installs are HIS problem. I HATE INSTALL PROGRAMS!!! They NEVER work. I seldom have "standard" hardware. The last two programs that had install programs would not run on my hardware (Borland C++ was one of them). I ended up installing the software on a more "normal" machine and using Fastback to back up the software after it was installed and then restoring it on my machine. Until recently, my machine was always open. Board were constantly being installed and un-installed in it. Often the boards were proto-types that did not look like any "normal" board you run across. I have even used systems were they took out the normal display card and put in their own that did NOT look like a Herc, CGA, VGA or anything known. The company I worked for planned on shipping a PC without any "standard" display. In its place was a really weird card that had no text modes at all. There is no way for an install program to take that type of oddity into account. >3. Evolving online help that evolves weekly as the support people > discover where people are getting caught or where the > docs are ambiguous. I wish that was true. We found a really awful bug in the manual. So we changed it. Unfortunately we had 200+ copies of the old manual "in-stock". So they sent out the 200 copies. Its even worse if you go to "perf-bound" manuals where your minimum order is 5,000. Besides "on-line" manuals don't solve all the problems. I want to be able to put "tabs" on the manual to get to the parts I need to refer to. Also I want to be able to add "margin notes" saying things like "this actually means you can do this also..." or "if are in this section, you can copy data from (some other program) and put the data into here". >The #1 reason I prefer rental to purchase is that I can PUNISH >the vendor at any time, by moving to a competitor. You are forgetting one major thing. If I am RENTING software, then I should have all the rights that RENTING gives me. That is if I can prove that your software has a bug, and that it cost me lost time and money, I can sue you for damages (look into what tenents rights). If I go down and rent a car, and its brakes are worn, I can sue the rental agency if I get into an accident. Even worse, if I get into an accident and kill someone else, the rental company can be sued for that. So what happens if I rent your data base program and I am an independent constant. I use the rented data base program on a clients data. But your program has a minor bug in that on the third tuesday after a full moon and you fill up the disk exactly with the data file and you happen to have some TSR loaded, you miss calculate a summation field by $1. So my client has me prepare his presentation for a $1,000,000,000 contract. I use the rented data base program to do the calculation for the bid. But the client looses by $0.50 to some other vendor. What happens when the client finds that he lost a billion dollar contract to a software bug? As a renter I would have the rights to sue for damages. That is the problem with renting. If you do not own the software, you must be able to redress problems caused by that software. If on the otherhand you own it, "let the buyer beware." Jeffrey McArthur ========== security/main #1335, from roedy, 1378 chars, Wed May 8 20:14:32 1991 Comment to 1329. Comment(s). ---------- Let me talk a little about how hardware might be used. I think everyone here is thinking about PC level machines that are completely insecure -- no hardware assist at all. Imagine a machine with hardware that only stores encrypted data on disks, and in RAM. AS IT EXECUTES, the cpu has an auxilliary processor to decrypt the instruction stream and to encrypt the data. Imagine a system that stays in contact with the outside world ALL the time. I am sure there are a few people who fiddle their postage machine, but the percentage is small. THERE IS NO NEED FOR 100% COMPLIANCE. All we need to do is shift the world from 10% honest to 10% crook. The REAL issue is, what is in this for the pirates? MOST of the people reading this have some pirated software in their posession. Will the ordinary joe, who today uses piracy to try out new software, to have on hand infrequently used software, or just to save a few bucks be any better off? Advantages: 1. Low cost, up-to-date, undoctored, supported versions of software. 2. Freedom from viruses by getting software direct. 3. Clear conscience. 4. Easier to write your own software and market it in competition. You will get paid if people use it. You don't need a giant legal dept. 5. Ability to rent software with full docs for trial rather than making do with executables only pirated versions. ========== security/main #1336, from roedy, 277 chars, Wed May 8 20:17:22 1991 Comment to 1332. ---------- I completely agree that making BOXES of stuff is a silly way to sell software. It should be copied and created as needed, with a payment scheme completely independent of the physical medium. The physical medium has nothing whatever to do with the cost of making the software. ========== security/main #1337, from roedy, 361 chars, Wed May 8 20:21:03 1991 Comment to 1333. ---------- Many many companise think absolutely nothing of buying only one copy of a product then install it on ten machines. In contrast charities are sticklers and buy 4 copies of Word or Word Perfect. Why should charities subsidize the companies? If everyone were honest, word processors would cost only $30 for a product like Word 5.5 or WP (exclusive of manuals). ========== security/main #1338, from roedy, 312 chars, Wed May 8 20:24:08 1991 Comment to 1334. ---------- Do you think we can continue the way we are now indefinitely? How much longer can man put up with installs that don't work? This HAS to change as more and more people come onstream to the computer age. We will look on these GOOFY lunatic installs with the same amusement we look on man's first flying machines. ========== security/main #1339, from sschneider, 486 chars, Wed May 8 20:38:41 1991 Comment to 1311. ---------- [ A reply to roedy's message #1311 in security/main ] >> scheme - perhaps handled by Visa or Mastercard, the huge resources >> of such companies can be brought to bear on cheaters and those who >> would try to sell counterfeiting equipment. Roedy... Visa and MasterCard can't even cope with the $800,000,000 a year in losses they suffer from theft and misuse of cards/card-numbers. How in the world could they ever do anything along the lines you suggest? Steve ========== security/main #1340, from agni, 349 chars, Wed May 8 21:48:54 1991 Comment to 1335. Comment(s). ---------- honesty at what price. The game has been played.. Fine dream up what ever copy protection scheems you want, Givn any choice, Ill go with the one without it. I have enough trouble getting the software to work as I want it to. Adding anything more is just going to waist my somwhat valuable time. It is never totaly transparent... +Agni ========== security/main #1341, from roedy, 1497 chars, Wed May 8 22:17:30 1991 Comment to 1340. ---------- Quite right, you have to pay. So I concede, 100% transparency is impossible. Perhaps if you imagined the Mac instead of the PC as the baseline machine, a lot of what I am saying might sound less crazy. Mac installs sometimes have been known to work. There was a reported case of a user actually installing software on a Mac without a programmer's help. Eventually, through standards and better interfaces, we should get to the point where fully automatic installs are feasible. Just as there are people who prefer manual car transmissions, there will be people who prefer manual installs (I will probably be one of them.). However the vast majority of the new computer users will be VERY happy to have the chore handled automatically. They will be even happier to have someone else responsible for applying updates and keeping the system running. If it does not work, you don't pay. As Tony Robbins would say "What a concept!" The way it works NOW, if the program does not work you pay EXTRA, for the upgrade to make it work! I hate to keep hammering this point, but no one has acknowledged it yet. Suddenly the EXISTING users have some clout to make the manufacturers produce bug free, easy to use software. It does not just have to SOUND good, it actually has to WORK, or the company goes belly up. No amount of Madison avenue hype can save them. If the program is unusable, it CAN'T generate them any revenue. Can you see now how BUG FIXES will be come the #1 vendor priority?

zastita.40 dejanr, 18 May 91

========== security/main #1481, from roedy, 1633 chars, Wed May 15 17:43:44 1991 Comment(s). ---------- TITLE: napping pirates A few months ago a consortium of Credit Unions (small banks) hired me to talk to them about viruses. They were very concerned and had sustain a number of costly attacks. Big business has a habit of playing hardball when the bottom line is concerned. What methods can be used to entrap pirates? Ross Greenberg, author of Flu Shot Plus, fills his manual with "slime ball" invective aimed at pirates. The are pages of it, sounding as if it were written by some 10-year old brat. I asked him why he did that. He explained that it taunts pirates into attacking his board, and giving him copies of their viruses. He would sooner they attacked him than people who did not know how to defend themselves. Caller ID is coming. The phone number of the caller in encoded in ASCII just the way a modem would send it. Pirates will have to call from payphones using laptops if they don't want to be discovered. In some cities the phone numbers of pay phones fall into a special range, so you could go unanswered. A sting operation can offer what pirates want most -- information on what other pirates are doing and the latest ideas in security. You can be quite sure that most pirates on BIX, for example, have joined the SECURITY conference. This is not to say everyone who joined security is a pirate. Pirates have given names, addresses and phone numbers to BIX. This information could be subpoenaed in an sweep to nail suspected pirates. Owners of pirate BBS's, as I mentioned last night, are subject to vigilante actions because it is quite easy to find the address corresponding to any phone number.

zastita.41 ppekovic, 21 May 91

Za ovaj program za šifrovanje na BIX-u tvrde da ga čak ni ljudi iz CIA-e i NSA-e ne mogu provaliti, tj. da nemogu razbiti šifru. Lepo je što uz program ide i pascal source. Paya encode.zip

zastita.42 dejanr, 11 Jul 91

========== tojerry/long.messages #608, from charliemerritt, 7977 chars, Sun Jul 7 15:11:45 1991 ---------- TITLE: New Public Key Crypto System *NEW?* Page 1 THE CRYPTOGRAPHIC USES OF POLYGONAL SEQUENCES By C. David Colston INTRODUCTION Polygonal sequences are a series of numbers that are generated by offset addition to the previous members of the sequence. The lowest order of these sequences (other than sequence zero or 1, 2, 3, 4 ,5... etc.) is the triangular sequence. It is created by taking the starting number 1 and offset of 1, constantly adding 1 to the offset, and summing the result. 1 + 2 + 3 + 4... are added, resulting in the numbers 1, 3, 6, 10... The next sequence is the square sequence in which offset is increase by two each time, 1 + 3 + 5 + 7... This results in the numbers 1, 4, 9, 16... The third sequence (a pentagon) increases the offset by three each time 1 + 4 + 7 + 10 ... and it results in the numbers 1, 5, 12, 22... These sequences are called polygonal because the resulting numbers can be ordered into rigid geometric shapes. Examples: 1 1 4 9 16 2 3 (Triangle) 2 3 8 15 (Square) 4 5 6 5 6 7 14 7 8 9 10 10 11 12 13 CALCULATION OF POLYGONAL NUMBERS Because offset counting and addition is a cumbersome process it is helpful to note that any member (M) of a given polygonal sequence (PS) may be calculated by the following formula: (M X M + M)/2 + (PS-1) X ((M-1) X (M-1) + (M-1))/2 It is also helpful to note that (PS + 2) is the number of sides in the resulting polygonal sequence. The formula resolves as follows for the first four sequences: Triangle: (M X M + M)/2 Square: M X M Pentagon: (3 X M X M - M)/2 Hexagon: 2 X M X M - M THE MODULAR RESIDUE OF POLYGONAL NUMBERS Polygonal sequences have ordered properties modulo a prime number. On the next page is a complete set of the modular residue of the first 23 polygonal sequences modulo the prime 23. The horizontal columns are, from left to right, the sequence members from 1 to 23. The rows from top to bottom are the polygonal sequences from 1 to 23 and are numbered from 1 to 23 accordingly. ______________________________________________________________________ Page 2 PS#| ---+------------------------------------------------------------------ 1 |1| 3| 6|10|15|21| 5|13|22| 9|20| 9|22|13| 5|21|15|10| 6| 3| 1| 0|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 2 |1| 4| 9|16| 2|13| 3|18|12| 8| 6| 6| 8|12|18| 3|13| 2|16| 9| 4| 1|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 3 |1| 5|12|22|12| 5| 1| 0| 2| 7|15| 3|17|11| 8| 8|11|17| 3|15| 7| 2|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 4 |1| 6|15| 5|22|20|22| 5|15| 6| 1| 0| 3|10|21|13| 9| 9|13|21|10| 3|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 5 |1| 7|18|11| 9|12|20|10| 5| 5|10|20|12| 9|11|18| 7| 1| 0| 4|13| 4|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 6 |1| 8|21|17|19| 4|18|15|18| 4|19|17|21| 8| 1| 0| 5|16|10|10|16| 5|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 7 |1| 9| 1| 0| 6|19|16|20| 8| 3| 5|14| 7| 7|14| 5| 3| 8|20|16|19| 6|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 8 |1|10| 4| 6|16|11|14| 2|21| 2|14|11|16| 6| 4|10| 1| 0| 7|22|22| 7|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 9 |1|11| 7|12| 3| 3|12| 7|11| 1| 0| 8| 2| 5|17|15|22|15|17| 5| 2| 8|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 10 |1|12|10|18|13|18|10|12| 1| 0| 9| 5|11| 4| 7|20|20| 7| 4|11| 5| 9|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 11 |1|13|13| 1| 0|10| 8|17|14|22|18| 2|20| 3|20| 2|18|22|14|17| 8|10|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 12 |1|14|16| 7|10| 2| 6|22| 4|21| 4|22| 6| 2|10| 7|16|14| 1| 0|11|11|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 13 |1|15|19|13|20|17| 4| 4|17|20|13|19|15| 1| 0|12|14| 6|11| 6|14|12|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 14 |1|16|22|19| 7| 9| 2| 9| 7|19|22|16| 1| 0|13|17|12|21|21|12|17|13|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 15 |1|17| 2| 2|17| 1| 0|14|20|18| 8|13|10|22| 3|22|10|13| 8|18|20|14|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 16 |1|18| 5| 8| 4|16|21|19|10|17|17|10|19|21|16| 4| 8| 5|18| 1| 0|15|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 17 |1|19| 8|14|14| 8|19| 1| 0|16| 3| 7| 5|20| 6| 9| 6|20| 5| 7| 3|16|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 18 |1|20|11|20| 1| 0|17| 6|13|15|12| 4|14|19|19|14| 4|12|15|13| 6|17|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 19 |1|21|14| 3|11|15|15|11| 3|14|21| 1| 0|18| 9|19| 2| 4| 2|19| 9|18|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 20 |1|22|17| 9|21| 7|13|16|16|13| 7|21| 9|17|22| 1| 0|19|12| 2|12|19|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 21 |1| 0|20|15| 8|22|11|21| 6|12|16|18|18|16|12| 6|21|11|22| 8|15|20|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 22 |1| 1| 0|21|18|14| 9| 3|19|11| 2|15| 4|15| 2|11|19| 3| 9|14|18|21|0 ---+-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- 23 |1| 2| 3| 4| 5| 6| 7| 8| 9|10|11|12|13|14|15|16|17|18|19|20|21|22|0 ---------------------------------------------------------------------- USING MODULAR RESIDUE TO MAKE A PUBLIC KEY The cryptographic implications can be easily seen. For example, any member of the first polygonal sequence can be transform to be a member the second sequence and used for a public key: _____________________________________________________________________ Page 3 p = prime 1 q = prime 2 N= p X q M= message C = Cipher_text Encrypt (using polygonal sequence 1): (Sender knows N by not p and q.) (M X M + M)/2 modulo N == C (The resolution of the formula for polygonal sequence 1.) Decrypt: (Receiver knows p and q.) (C X 8 + 1) modulo N == ((M X 2 + 1) X (M X 2 + 1)) modulo N This converts the triangular encryption into a member of the square sequence and allows for solution. Solve for (M X 2 + 1) modulo p and (M X 2 + 1) modulo q. Using Chinese remainder theory the results may be used to produce four possible solutions. 1 is subtracted from the four possible results and the results are divided by 2. Many methods can be used to avoid ambiguity, but presumably only one of the four possible M's will make sense. A similar possibility exists for the use of the fourth or hexagon sequence, because it may also be changed into a member of the square sequence by (C X 8 = 1), but decryption is more complicated. The resulting squares require the subtraction of 1 and division by 2 AND THEN the additional step of adding 1 and the dividing by 2. For conventional key purposes it should also be noted that the vertical columns in the example contain all numbers from 0 to (N-1) (the exception are the 1 column and the N column which are all 1 or 0) and can be readily determined by their additive quality modulo N, as suggested by the general formula. To the best my knowledge, O. Joel Benston and myself are the originators of the idea of using polygonal sequences (other than the square sequence) for cryptographic purposes. We are considering patenting the idea. If you have knowledge of other persons, who have suggested a similar approach, please advise us. (501) 484-5489 <OK TO POST> ******************************************** David is a friend of mine and asked me to post this. Any E-Mail sent to me re this will be forwarded to him.....charliemerritt

zastita.43 dvidovic, 23 Jul 91

Evo nove verzije popularnog PCLOCK-a,koja, napokon radi sa svim tipovima kontrolera. Jednostavno se instalira i ima puno lepih stvari. Probajte! Poz Dule pc-vault.zip

zastita.44 max.headroom, 25 Jul 91

Help!! Imam program Movie Magic, usko specijalizovan. Medjutim, zasticen je zastitom SUPERLOK.300 koja mi pravi PROBLEME! Nista nisam uspeo. Nisam siguran cak ni da li je sve ono sto sam pokusao i korak u smeru skidanja zastite. Inace, program kosta 7000$ Za informaciju. I ima ogranicen (0003) broj instalacija. Naravno, ima i deinstalaciju. Da li je moguce uraditi zastitu sa busenjem laserskih rupica i na 3,5" disketama? HElp!