[108016] in Cypherpunks
CDR: RE: Re: Adieu Privacy: Intel identifiziert Chips (fwd)
daemon@ATHENA.MIT.EDU (Brown, R Ken)
Mon Feb 1 07:35:59 1999
From: "Brown, R Ken" <brownrk1@texaco.com>
To: cypherpunks@einstein.ssz.com
Date: Mon, 1 Feb 1999 06:19:31 -0600
Reply-To: "Brown, R Ken" <brownrk1@texaco.com>
> Jim Choate wrote & Bill Stewart replied
>
>>Just imagine the hassle of trying to buy software at Comp
>> USA if you have to take your cpu ID in, have them burn
>> the ID into the software to make it usable, etc.
>> Who does the customer support in that case?
> Either register over the Internet, modems, or use
> telephone touch-tone response. Start the registration app,
> and run either a two-way or three-way handshake.
> For instance, the reg-app can send in the serial number,
> the vendor can public-key sign it, and the application
> can validate later (until the crackers remove the
> validation check :-) Or enter the challenge string,
> return the response, and get that signed.
A large proportion of PC buyers still don't have Net access & some of us
would find the phone irritating enough to not bother... I think enforcible
software registration would be a big downer on domestic & small business
sales.
Not so much of a problem in medium/large business - the one who makes the
purchasing decision is rarely the one who makes the phone call. The
mainframe market used CPU serial numbers for years. (Might still do for all
I know). The usual method was for them to supply a code number that worked
only with a certain CPU number. You typed it in at setup & it was saved in
some configuration file somewhere. Security would be in the program itself
so obviously not foolproof against someone with a dissambler & an attitude,
but in practice few people bothered. (Few is not none at all of course.
Once, when there was still a Soviet Union, I got a phone call from a friend
of mine in Voronezh, Russia asking me a simple question about a mainframe
OS. "But it's in the manual". "We don't have the manual". "But they
always... oh, I see...")
IBM would sometimes deliver a new CPU with your old number as an upgrade
which saved lots of hassle. Impractical for mass-market PCs though. OTOH
they also could sell you an operating system, VM, which allowed you to
completely virtualise the hardware and give your CPU any serial number you
wanted. Any CPU protection scheme is vulnerable to that "attack". If you can
write a Pentium emulator that runs on a Pentium you can run your OS on that
and give it any CPU id you want. I bet 95% of the code is in Linux already -
and the bit that isn't based on ideas that have been well-known for 20
years. Someone's probably done it already.
Ken Brown
