Copy protection
-
Upload
keith-jackson -
Category
Documents
-
view
213 -
download
0
Transcript of Copy protection
Computer Fraud & Security Bulletin September 1989
could cause one of the impacts mentioned above. e.g. theft, power failure.
Using the values obtained above a
security requirement for the three impacts can
be calculated using a simple matrix.
The security requirement obtained enables
appropriate countermeasures to be selected.
The countermeasures recommended are
related to the specific threats such as power
failure, theft, infiltration, software failure etc.
Where minimum security is required codes of
good practice are provided for all PC users,
thus enabling a minimum level of security to be
achieved.
The following benefits can be identified
from this approach:
Security managers are able to cope with
the logistical problems of a large number
of PCS.
Dependence upon the availability of large
numbers of security trained personnel is reduced by delegating information
collection and security requirement
calculation to users.
It is easier to provide justification to senior
management of the request for security
products as these are related to the value of information to be protected.
There is a significant contribution to the
education and training of users with regard to security.
A direct link between the organization security policy and a means of realistically
implementing the policy is provided.
Security products are able to be targetted at the high priority are&.
An efficient means of identifying and
maintaining security information about the organization’s PCs is available.
- The ability to adopt a structured approach
can be implemented at a low cost.
- The approach is quickly and easily tailored
to meet the clients specific environment
and needs.
- Users are guided towards implementing
standard solutions which reduces costs
and facilitates maintenance and administration.
- Where appropriate the methodology can
be issued to users on a diskette to facilitate user and administration.
Kevin Lack
B/S Applied Systems, UK
TECHNICAL EVALUATION
COPY PROTECTION
This month’s technical evaluation article is
somewhat different, as it is not about one particular product. Instead it brings together
various strands that have run through this series of articles over the past two years.
To be specific it’s about copy protection.
I’ve often railed against using copy
protection in the past, and suggested that
users with an iota of sense should have
nothing to do with products that are copy
protected. This is for many reasons, one of
which is well illustrated by the sequence of
events described below. The saga illustrates
why I have mentioned so many times in the
past that I never favourably recommend
software which is copy protected.
The following story unfolded over the last
few months, and is entirely true, but the name of the company involved has been omitted as I
01989 Elsevier Science Publishers Ltd
September 1989 Computer Fraud & Security Bulletin
believe that they are not better and no worse than many others in their disk management. The problem would not have occurred if the software in question was not distributed on copy protected disks.
Some while ago I agreed to write technical evaluation articles for CFSB about two products marketed by a security company. Both software packages required an IBM-PC (or a clone). After some delay (my fault), I began to review the first security product. During the installation process, it quickly became apparent that the software was copy protected, and the installation process insisted on having the coy protected disk in drive A.
The computer I usually use for testing is an IBM-PC clone, with a 3.5 inch disk as drive A, and 5.25 inch disks as drives B and C. The
software came on 5.25 inch floppy disks. Without reconfiguring the innards of may computer, something I’m reluctant to do on a system that has given me no trouble, I could not install the software as it insisted on loading from drive A.
As the disks were copy protected it was inherently impossible to copy the 5.25 inch disks across to 3.5 inch floppy disks (which would have solved the problem).
Having reached this impasse I phoned the
technical support staff of the company involved, and explained the problem. They
agreed that as the software insisted on being installed from drive A, and was copy protected, the only solution was for them to provide 3.5 inch copy protected disks. They promised delivery in a few days time. This was early May.
In early June, I rang back to enquire what had happened to the promised disks. After various tales, they were promised ‘real soon now’. In early July I was still waiting, so I began evaluating the second software package. Same story.
Notwithstanding the human problems involved in this mini saga, the problem would
not have occurred if copy protection was not involved. I would have simply copied the
software on to the correct type of disk and continued with the installation process. Life is complex enough without the ritual dance imposed by copy protection installation
programs.
The problems caused by copy protection schemes don’t end there. Secure operational methods involve taking backups to ensure that under no circumstances are you ever without a functioning copy of the software. Copy
protection by its very nature circumvents this good practice, and forces the user into bad, insecure habits where regular backups of the software are difficult if not impossible to obtain.
Many copy protections schemes require the original master disk to be present every
time that the software is executed, pity the poor user who formats this disk because it has been accidentally left behind in a floppy drive. This event is guaranteed to happen just after the warranty period expires. If every software package required this type of “key-disk” copy protection, imagine needing up to a dozen master disks. The mind boggles.
But it gets worse. Some hardware vendors have started to refuse to have
anything to do with a hard disk which has copy
protected software installed. I came across the following statement (names removed etc.) at about the same time that I had problems
with the two above mentioned software packages:-
“I tell all my customers that if they install copy-protected software onto their hard discs, maintenance of programs and any kind of disk fault is on an ad-hoc (and expensive) basis thereafter - with the strong implication that I hope they will go elsewhere!”
Enough said.
In summary, I will not use anything that prevents me from taking as many backups as I desire, requires some form of special
01989 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin September 1989
hardware, or requires a floppy disk to be present at all times. Under any circumstances. Neither should you.
Many vendors use an analogy between books and software packages in their licence agreements. A single copy of the software should only by in use at one place and at one time, just like a book. Many copies of the
software can exist (for backup purposes), but cannot be in use simultaneously. Such schemes sound eminently fair to all concerned, and software developers will eventually come to terms with this.
After all how many book publishers do you
know that print books on paper with faint ink that cannot be photocopied? Any publisher who suggested it would immediately find sales plummeting.
Legal remedies are available to help prevent distribution of software in a manner
that contravenes the vendor’s licence agreement. Such remedies should be used in preference to the mirage offered by software copy protection, which only temporarily solves the problem of illegal copies, and does so at the users expense.
Keith Jackson
BOOK REVIEWS
SECURITY OF INFORMATION AND DATA
Title: Torgeir Daler, Roar Gulbrandsen, Birger Melgard and Tornjorn Sjolstad.
ISBN: o-7458-0575-2
Publisher: Ellis Horwood, Market Cross House, Cooper Street, Chichester, West Sussex PO1 9 1 EB, UK.
Price: f 19.95 (133 pages, hardback)
This book is translated from the original Norwegian, and the translator (unnamed) is to be congratulated, as I did not een notive the Norwegian origins of the book until I was some way into it. Many of the examples quoted refer to Norway and Sweden, but this does not detract from the book. Their computer security problems seem very similar to those encountered elsewhere in the world.
With only 133 pages covering the whole of computer security, no one subject is covered in great depth, and in places the book is hardly more than a series of checklists. Consequently much of the content is very diluted. Paradoxically, this does not contradict the stated aim of the book, which is to “survey some central areas within the field of information security”.
The book makes very dry reading. Nothing is particularly wrong with the content,
it’s just presented in a very uninteresting manner. In short it’s boring.
A couple of snippets stand out from the rest of the book.
The section entitled “Physical characteristics” describes various research projects which aim to identify individual humans from one or more of fingerprints,
voiceprints, hand geometry and signature verification. Also included in this list are “lip prints”. I find this an amazing concept.
Imagine having to kiss a small box on the door before being allowed access to the computer room. Goodness only knows what
sort of pictures would be attached to such a device. Somehow I doubt that this will provide socially acceptable.
The section on computer crime provides
some fascinating statistics from the USA. Only
1 out of 100 cases of computer crime are
detected, only 1 out of 8 is prosecuted, and
only 1 out of 33 prosecuted computer crimes result in a prison sentence. Therefore the
likelihood that a computer crime will result in a
10 01989 Elsevier Science Publishers Ltd