<br><br><div><span class="gmail_quote">On 12/21/06, <b class="gmail_sendername">C F</b> <<a href="mailto:shmaltz@gmail.com">shmaltz@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Realy???????????<br>How about cutting the power to the "thick steel case that is welded<br>shut" so that the added "switches to detect case intrusion and<br>immediately erase the flash device that store the crypto keys" just
<br>fail??????????????????</blockquote><div><br>VISA requires that pin codes and all that be stored in volatile memory. Keep in mind that these systems are largely directly controlled by visa, but ... When the case is opened power is physically cut to this storage and that prevents someone from dumping the memory via an external device. A similar setup could be used, but at what cost? With a flash drive it could have an internal battery that would execute code causing it to wipe, but this has to be fully autonomous, so that it can run and erase the flash device even if power ot the main system is disabled.
<br><br>Ultimately any copy prevention must be weighted in a business decision against the cost of the system to prevent vs loss of others selling clones.<br><br>As for all of this, I almost think it better to brand your device and use that brand name to carry you through clones/competitors. If you get a loyal following of people who will bad mouth your competition, just because they compete with you, and praise your box just because its yours, even if the other stuff is superior in some way, you will still see a bunch of sales, and thus revenue. And if you do it right, you get all these people 'working' for you for free, and they think that by being unpaid marketing drones they are somehow doing a good thing. Its amazing to see it in action when that happens.
<br><br>As for the gpl you are only required to give out the gpl components if you distribute. If you lease the systems there is a bit of ambiguity, which I personally believe does not meet the definition of distribution (google, ebay and others use gpl code, you use their systems, use of the system is not distribution even the FSF admits that ...). Under a lease arrangement you could have a very stiff penalty for opening the system (just as the initial itanium systems were sealed with tamper evident controls to prevent people from opening them). Have a clause in the lease contract stipulate enough damages payable that it would keep most companies honest. This of course doesnt prevent a shell company from being formed, but to weed those out sales have to be accompanied with due diligence, which is likely to turn off customers in the first place, and generally harm sales.
<br><br>Legally, in many jurisdictions if you sell the hardware the customer can do anything they want with it, including break any protection systems you might have put in place. See the AU case where microsoft lost on those very grounds regarding chipping an xbox. While that may not be the case in all markets, can you totally prevent someone from taking your system to that jurisdiction and then mounting an attack (or just fabricating 'evidence' that this is what occured)?
<br><br>And lets say that you do manage to protect it, how would you know that customerA was the one that broke the system and copied everything? Its unlikely that the company you sold to is the one that will be reselling the clone system. Without a maintainence agreement with each customer, you may not have access to even know if the box works and is powered on, or disassembled in some lab being plundered.
<br><br>There is no good or easy answer to this problem, if the data can be accessed and used, it can be copied. Even crypto filesystems can be broken, its just a matter of access, money (to buy skilled people), and time. Security on any level needs to be tempered with the question 'secure from whom and for how long'. If you want something that will last, you will need to spend money and time to make it secure, and if you get 6 months I would be impressed since you are in effect giving the keys to the kingdom with every box shipped.
<br><br>Now if you wanted to make something more secure, avoid license issues, and prevent for the most part, copying and cloning of your service directly, a hosted application might do the trick. it doesnt have to go across the internet at large, it could be a private network for privacy and quality reasons. Then the application that drives the business resides at your facility not theirs. And if you do this right, you could see a lower cost per system. The capacity of an 'average' soho pbx is far exceeded by the capabilities of the hardware it runs on. By placing multiple people on the same hardware,. you can lower your per channel cost, provide a more cost effective solution, and be more competitive against others.
<br></div><br></div><br>-- <br>Trixter <a href="http://www.0xdecafbad.com">http://www.0xdecafbad.com</a> Bret McDanel<br>Belfast +44 28 9099 6461 US +1 712 432 7999<br><a href="http://www.trxtel.com">http://www.trxtel.com
</a> the VoIP provider that pays you!