[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security answer: Client code compiled into Software



PureBytes Links

Trading Reference Links

Dear Omega people,

For a quick summary see the last paragraph.

The problem with the security issue is partly related to Omegas TS position 
in the market place. Lets look at the competition.

First of all we have got the low-end amateur products like WOW, 
Supercharts and zillions of others. They all sell de-dongled and 
without password protection unless they are sold over the internet. 
Basically it would be too expensive to provide security mechanism for these 
products given the low price.

Secondly we have got medium to professional league. These products 
are either sold exclusively with the data feed or they are licenced monthly.
Here we find Townsend Analytics,  Robert Slade and others.
However these products differ slightly because you can run them on 
networks and the software must provide password authentication 
mechanisms in order to ensure that only certain number of users are using the 
software and the datafeed. To dongle all those machines on the 
network is impracticable that is why some central authentication 
mechanism is provided on the server. The monthly licencing ensures 
that the software producer provides a real support otherwise no one 
would still use the software.

The professional products which are run on trading desks at banks 
have either no copy protection or are protected by authentication mechanisms - 
otherwise the avarage trader at the bank would have 20 dongles 
sticking out of the back of his machine. Furthermore it is assumed 
that banks which invest millions in their hardware and software  do 
not need to cheat.

TS Realtime is half way in between an amateur and the medium to a professional 
product. The server and the software only runs on one machine. 
Therefore it can only be used by small operations. (Larger operations 
need to share the database information). As TS is sold with a one-off 
licence fee the user must expect that he can use the software 
forever and on whatever machine he likes. Therefore it does not seem 
reasonable to sell the software with an authentication mechanism 
which is bound to the machine. If Omega is bankrupt the user would be 
without software. In any case: although he bought a forever licence he 
still needs to deal with Omega when he switches  machines. I would 
think that many users find this uncomforting.

The alternative is that Omega switches  to monthly licencing for TS realtime 
and  move into the medium professional league and detaches the server 
from. However such a move would propably require much more support 
otherwise people would not licence the software.

The point of all this is: As long as Omega sells one-off licences and 
chooses to protect their software it should provide a mechanism which 
gives the client total ownership of the product.

The dongle is only partially an answer because it the user 
is always frightend that he looses the dongle or that the dongle is stolen.

Neither the dongle nor the machine authentication seems to be the 
answer in Omegas case.

Given the moderate number of TS sold it is possible to code a
personal authentication code of the client into the software.
Basically you would get one standard CD with the main part of the
software and a custom burnt CD or diskette with the rest of the
software and some authentication code cleverly hidden somewhere in
it. (Given the speed of todays computers such a dll or exe could be
compiled in no time and be transferred to disk.) This would allow
the user to copy his software for safety reasons and deter him from
selling the software illegally because it could be traced back.

Gerrit Jacobsen


If you need further advice how to implement this in a serious way 
please contact me. (Yes - I would be grateful for a free TS
upgrade in advance)