This one should have hone to the list. Right now I'll start playing with my mail client so that I don't reply off list inadvertently.
Ron is not talking to himself. Sorry! Hello Ron, let's continue our totally newbie-ish discussion :-) Ron you're doing this nice and systematically, be sure I will archive this thread as long as it goes. Thesis: Name mangling as Bert suggests is a way to protect intellectual property while the majority of points in this discussion are about protecting the income of the software supplier. If a system is big enough (in lines of code) I would trust name mangling a lot. It is a bit compromised by polymorphism. Identical method names must have identical mangled names if it is an automated process. I was very close to using it twice (in Lisp), so I gave it serious consideration. RT> 1) A system must be able to enable features for a single instance and RT> prevent those features from being shared to other systems. If you combine name mangling with individual crypting you can build modules which will only load into a single instance of the software. RT> 2) A system could be able to detect features being used inappropriately Will be unnecessary then. RT> 3) A system could be able to periodically check for permission (trial RT> software) Smalltalk has one advantage here with being image based. If part (or all) of the users data are always stored in the image you can keep a timer in the system which detects a set back system clock. Again we run such a timer in the hardware lock which also contains the end of trial date. RT> Hardware encryption is more costly then software. Yea, the way to go is to have one medium into which several software suppliers put their security codes. I guess the people from the link I provide have exceeded their initial goal to sell 1 million of their devices. I'm unhappy that I'm advertising here but those are serious guys and we do business with them for more than a decade. Imagine a dongle combined with a usb stick. The software suddenly becomes a physical possession. People are used to dealing with valuables for millennia. As soon as a stolen software connects to the Internet the dongle (with all contained software) can be invalidated. RT> Dongles have some issues, they are usually but not always only one factor RT> (if you have the dongle the system works), they break or can be lost, and RT> some are easily cracked (so it's important that the value of the software is Like some software locks too, I cracked one by accident. OTOH I once worked for a man who replicated a dongle to learn how to use gate arrays :-)) RT> less then the amount of work to make your own, or that the dongles be unique RT> per installation so that the selling of a cracked dongle is not profitable). We have it this way though I personally dislike the effort it takes building updates and upgrades. RT> Also because the dongle links the computer to the software and not the user RT> to the software unauthorized users can still access the software. A good RT> example is when a user leaves the dongle attached to the computer and goes RT> to lunch. I never tried but I believe that I can go to a computer, start IE, and export any certificate to my usb stick with no one the wiser. That leaves the password which in practice is easily hacked. Easy in a statistical meaning, as you already observed people don't care about security until it's too late. Next week I'll try if exporting a certificate already needs the password. I would have to steal the dongle though. At least this wouldn't go unnoticed. A call to the supplier could lock that dongle and a replacement can be bought for the costs of the dongle. RT> I do think that having hardware authentication is a good idea and it does RT> make things much easier to verify when the crypto code is in the hardware. RT> I still wonder why it is that they are not more widely used. Here in Germany you can choose between several suppliers of dongles many of them in the business for a long time. Autodesk have used Dongles for very long until 2000 in Europe. They sell a lot :-)) I know of vendors moving towards a dongle and others giving up on the dongle. RT> As for email, until the certificates are free and the software does all the RT> work for you, (hardware or not), I doubt we will see much more acceptance. I totally agree. RT> In the system that I'm building it is all automatic. If you use my software RT> and then write an email to your doctor it automatically sends it encrypted >>from your regular email program. Or if you fill out a personalized template RT> online to communicate with your doctor it is also sent encrypted with your RT> certificate so that the doctor (and the insurance company) knows they are RT> talking to the real patient. How do you assure the identity of the patient the first time? How do you assure the correct initial recipient? I always enjoy this line of thought, I got my first contract because I broke a protected software in front of the protector :-) Thank you for reading! Cheers Herbert mailto:[EMAIL PROTECTED] _______________________________________________ Beginners mailing list Beginners@lists.squeakfoundation.org http://lists.squeakfoundation.org/mailman/listinfo/beginners