Computer Fraud & Security Bulletin September 1989

could cause one of the impacts mentioned above. e.g. theft, power failure.

Using the values obtained above a

security requirement for the three impacts can

be calculated using a simple matrix.

The security requirement obtained enables

appropriate countermeasures to be selected.

The countermeasures recommended are

related to the specific threats such as power

failure, theft, infiltration, software failure etc.

Where minimum security is required codes of

good practice are provided for all PC users,

thus enabling a minimum level of security to be

achieved.

The following benefits can be identified

from this approach:

Security managers are able to cope with

the logistical problems of a large number

of PCS.

Dependence upon the availability of large

numbers of security trained personnel is reduced by delegating information

collection and security requirement

calculation to users.

It is easier to provide justification to senior

management of the request for security

products as these are related to the value of information to be protected.

There is a significant contribution to the

education and training of users with regard to security.

A direct link between the organization security policy and a means of realistically

implementing the policy is provided.

Security products are able to be targetted at the high priority are&.

An efficient means of identifying and

maintaining security information about the organization’s PCs is available.

- The ability to adopt a structured approach

can be implemented at a low cost.

- The approach is quickly and easily tailored

to meet the clients specific environment

and needs.

- Users are guided towards implementing

standard solutions which reduces costs

and facilitates maintenance and administration.

- Where appropriate the methodology can

be issued to users on a diskette to facilitate user and administration.

Kevin Lack

B/S Applied Systems, UK

TECHNICAL EVALUATION

COPY PROTECTION

This month’s technical evaluation article is

somewhat different, as it is not about one particular product. Instead it brings together

various strands that have run through this series of articles over the past two years.

To be specific it’s about copy protection.

I’ve often railed against using copy

protection in the past, and suggested that

users with an iota of sense should have

nothing to do with products that are copy

protected. This is for many reasons, one of

which is well illustrated by the sequence of

events described below. The saga illustrates

why I have mentioned so many times in the

past that I never favourably recommend

software which is copy protected.

The following story unfolded over the last

few months, and is entirely true, but the name of the company involved has been omitted as I

01989 Elsevier Science Publishers Ltd

September 1989 Computer Fraud & Security Bulletin

believe that they are not better and no worse than many others in their disk management. The problem would not have occurred if the software in question was not distributed on copy protected disks.

Some while ago I agreed to write technical evaluation articles for CFSB about two products marketed by a security company. Both software packages required an IBM-PC (or a clone). After some delay (my fault), I began to review the first security product. During the installation process, it quickly became apparent that the software was copy protected, and the installation process insisted on having the coy protected disk in drive A.

The computer I usually use for testing is an IBM-PC clone, with a 3.5 inch disk as drive A, and 5.25 inch disks as drives B and C. The

software came on 5.25 inch floppy disks. Without reconfiguring the innards of may computer, something I’m reluctant to do on a system that has given me no trouble, I could not install the software as it insisted on loading from drive A.

As the disks were copy protected it was inherently impossible to copy the 5.25 inch disks across to 3.5 inch floppy disks (which would have solved the problem).

Having reached this impasse I phoned the

technical support staff of the company involved, and explained the problem. They

agreed that as the software insisted on being installed from drive A, and was copy protected, the only solution was for them to provide 3.5 inch copy protected disks. They promised delivery in a few days time. This was early May.

In early June, I rang back to enquire what had happened to the promised disks. After various tales, they were promised ‘real soon now’. In early July I was still waiting, so I began evaluating the second software package. Same story.

Notwithstanding the human problems involved in this mini saga, the problem would

not have occurred if copy protection was not involved. I would have simply copied the

software on to the correct type of disk and continued with the installation process. Life is complex enough without the ritual dance imposed by copy protection installation

programs.

The problems caused by copy protection schemes don’t end there. Secure operational methods involve taking backups to ensure that under no circumstances are you ever without a functioning copy of the software. Copy

protection by its very nature circumvents this good practice, and forces the user into bad, insecure habits where regular backups of the software are difficult if not impossible to obtain.

Many copy protections schemes require the original master disk to be present every

time that the software is executed, pity the poor user who formats this disk because it has been accidentally left behind in a floppy drive. This event is guaranteed to happen just after the warranty period expires. If every software package required this type of “key-disk” copy protection, imagine needing up to a dozen master disks. The mind boggles.

But it gets worse. Some hardware vendors have started to refuse to have

anything to do with a hard disk which has copy

protected software installed. I came across the following statement (names removed etc.) at about the same time that I had problems

with the two above mentioned software packages:-

“I tell all my customers that if they install copy-protected software onto their hard discs, maintenance of programs and any kind of disk fault is on an ad-hoc (and expensive) basis thereafter - with the strong implication that I hope they will go elsewhere!”

Enough said.

In summary, I will not use anything that prevents me from taking as many backups as I desire, requires some form of special

01989 Elsevier Science Publishers Ltd

Computer Fraud & Security Bulletin September 1989

hardware, or requires a floppy disk to be present at all times. Under any circumstances. Neither should you.

Many vendors use an analogy between books and software packages in their licence agreements. A single copy of the software should only by in use at one place and at one time, just like a book. Many copies of the

software can exist (for backup purposes), but cannot be in use simultaneously. Such schemes sound eminently fair to all concerned, and software developers will eventually come to terms with this.

After all how many book publishers do you

know that print books on paper with faint ink that cannot be photocopied? Any publisher who suggested it would immediately find sales plummeting.

Legal remedies are available to help prevent distribution of software in a manner

that contravenes the vendor’s licence agreement. Such remedies should be used in preference to the mirage offered by software copy protection, which only temporarily solves the problem of illegal copies, and does so at the users expense.

Keith Jackson

BOOK REVIEWS

SECURITY OF INFORMATION AND DATA

Title: Torgeir Daler, Roar Gulbrandsen, Birger Melgard and Tornjorn Sjolstad.

ISBN: o-7458-0575-2

Publisher: Ellis Horwood, Market Cross House, Cooper Street, Chichester, West Sussex PO1 9 1 EB, UK.

Price: f 19.95 (133 pages, hardback)

This book is translated from the original Norwegian, and the translator (unnamed) is to be congratulated, as I did not een notive the Norwegian origins of the book until I was some way into it. Many of the examples quoted refer to Norway and Sweden, but this does not detract from the book. Their computer security problems seem very similar to those encountered elsewhere in the world.

With only 133 pages covering the whole of computer security, no one subject is covered in great depth, and in places the book is hardly more than a series of checklists. Consequently much of the content is very diluted. Paradoxically, this does not contradict the stated aim of the book, which is to “survey some central areas within the field of information security”.

The book makes very dry reading. Nothing is particularly wrong with the content,

it’s just presented in a very uninteresting manner. In short it’s boring.

A couple of snippets stand out from the rest of the book.

The section entitled “Physical characteristics” describes various research projects which aim to identify individual humans from one or more of fingerprints,

voiceprints, hand geometry and signature verification. Also included in this list are “lip prints”. I find this an amazing concept.

Imagine having to kiss a small box on the door before being allowed access to the computer room. Goodness only knows what

sort of pictures would be attached to such a device. Somehow I doubt that this will provide socially acceptable.

The section on computer crime provides

some fascinating statistics from the USA. Only

1 out of 100 cases of computer crime are

detected, only 1 out of 8 is prosecuted, and

only 1 out of 33 prosecuted computer crimes result in a prison sentence. Therefore the

likelihood that a computer crime will result in a

10 01989 Elsevier Science Publishers Ltd