[asterisk-biz] Copy protect your Asterisk Box

Trixter aka Bret McDanel trixter at 0xdecafbad.com
Thu Dec 21 17:16:51 MST 2006 

On 12/21/06, C F <shmaltz at gmail.com> wrote:
>
> Realy???????????
> How about cutting the power to the "thick steel case that is welded
> shut" so that the added "switches to detect case intrusion and
> immediately erase the flash device that store the crypto keys" just
> fail??????????????????


VISA requires that pin codes and all that be stored in volatile memory.
Keep in mind that these systems are largely directly controlled by visa, but
...  When the case is opened power is physically cut to this storage and
that prevents someone from dumping the memory via an external device.  A
similar setup could be used, but at what cost?  With a flash drive it could
have an internal battery that would execute code causing it to wipe, but
this has to be fully autonomous, so that it can run and erase the flash
device even if power ot the main system is disabled.

Ultimately any copy prevention must be weighted in a business decision
against the cost of the system to prevent vs loss of others selling clones.

As for  all of this, I almost think it better to brand your device and use
that brand name to carry you through clones/competitors.  If you get a loyal
following of people who will bad mouth your competition, just because they
compete with you, and praise your box just because its yours, even if the
other stuff is superior in some way, you will still see a bunch of sales,
and thus revenue.  And if you do it right, you get all these people
'working' for you for free, and they think that by being unpaid marketing
drones they are somehow doing a good thing.  Its amazing to see it in action
when that happens.

As for the gpl you are only required to give out the gpl components if you
distribute.  If you lease the systems there is a bit of ambiguity, which I
personally believe does not meet the definition of distribution (google,
ebay and others use gpl code, you use their systems, use of the system is
not distribution even the FSF admits that ...).  Under a lease arrangement
you could have a very stiff penalty for opening the system (just as the
initial itanium systems were sealed with tamper evident controls to prevent
people from opening them).  Have a clause in the lease contract stipulate
enough damages payable that it would keep most companies honest.  This of
course doesnt prevent a shell company from being formed, but to weed those
out sales have to be accompanied with due diligence, which is likely to turn
off customers in the first place, and generally harm sales.

Legally, in many jurisdictions if you sell the hardware the customer can do
anything they want with it, including break any protection systems you might
have put in place.  See the AU case where microsoft lost on those very
grounds regarding chipping an xbox.  While that may not be the case in all
markets, can you totally prevent someone from taking your system to that
jurisdiction and then mounting an attack (or just fabricating 'evidence'
that this is what occured)?

And lets say that you do manage to protect it, how would you know that
customerA was the one that broke the system and copied everything?  Its
unlikely that  the company you sold to is the one that will be reselling the
clone system.  Without a maintainence agreement with each customer, you may
not have access to even know if the box works and is powered on, or
disassembled in some lab being plundered.

There is no good or easy answer to this problem, if the data can be accessed
and used, it can be copied.  Even crypto filesystems can be broken, its just
a matter of access, money (to buy skilled people), and time.  Security on
any level needs to be tempered with the question 'secure from whom and for
how long'.  If you want something that will last, you will need to spend
money and time to make it secure, and if you get 6 months I would be
impressed since you are in effect giving the keys to the kingdom with every
box shipped.

Now if you wanted to make something more secure, avoid license issues, and
prevent for the most part, copying and cloning of your service directly, a
hosted application might do the trick.  it doesnt  have to go across the
internet at large, it could be a private network for privacy and quality
reasons.  Then the application that drives the business resides at your
facility not theirs.  And if you do this right, you could see a lower cost
per system.  The capacity of an 'average' soho pbx is far exceeded by the
capabilities of the hardware it runs on.  By placing multiple people on the
same hardware,. you can lower your per channel cost, provide a more cost
effective solution, and be more competitive against others.


-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
Belfast +44 28 9099 6461        US +1 712 432 7999
http://www.trxtel.com the VoIP provider that pays you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20061221/75fbff2a/attachment.htm

More information about the asterisk-biz mailing list