5

Click here to load reader

Security risks in buying a computer

  • View
    216

  • Download
    2

Embed Size (px)

Citation preview

Page 1: Security risks in buying a computer

Volume 4 Number 12 OCTOBER ISSN 0142-0496

OMPUTERPB~NB& SECURITY BULLETIN

Editor: MICHAEL COMER, Director, Network Security Management Ltd. London.

Associate Editor: ROBERT V. JACOBSON, President, International Security Technology Inc. New York

Editorial Advisors:

Jay J. BloomBecker, Director, National Data Center for Computer Crime, Los Angeles.

Robert P. Campbell, CDP, President, Advanced Information Management Inc, Virginia.

Andrew Chambers, Senior Lecturer in Audit and Management Control, City University Business School, London.

Dr. Jerry Fitzgerald, Jerry Fitzgerald & Associates, California.

Fred M. Greguras, Attorney, Nebraska.

Peter Hamilton, Managing Director, Zeus Security Consultants Ltd, London.

Jocelin Harris, Lawyer and Banker, London.

Peter J. Heims, Fellow of the Institute of Professional Investigators, London.

Geoffrey Horwitz, Executive, Ned Equity Insurance Co. Ltd. Johannesburg.

Alistair Kelman, Barrister and Legal Expert in Microelectronics and Computing, London.

Jules 6. Kroll, President, Kroll Associates, New York.

Norman Luker, Security Management, Northern Telecom Ltd. Montreal.

James Martin, Author and Lecturer.

Adrian R. D. Norman, Consultant, Arthur D. Little Ltd.

Donn B. Parker, Senior Management Systems Consultant, Stanford Research Institute, California.

Alec Rabarts, Fellow of the Institute of Chartered Accountants, London.

Timothy J. Walsh, President, Harris and Walsh Management Consultants, New York.

Graeme Ward, Head of Audit, Abbey National Building Society, London.

Philip Weights, Philip Weights & Associates, Surrey, U.K.

CONTENTS Security risks in buying a Software protection in Japan 10 computer 1 Seal your computer secrets 13 Software copyrighting NTIS bibliographies 14 attacked 5 Computer security conferences 15 Secure operating systems 6

SECURITY RISKS IN BUYING A COMPUTER

CHEAP0 COMPUTERS LIMITED

Really cheap computers for sale. If you are a first time user or wish to upgrade your system. and have no' in-house experience of what to buy, come and see us. We can sell you DOngO disk drives linked to Blotto processors and Mongul memories all cobbled into our own liquorice allsorts system at half the price any of the major manufacturers can offer you.

Phone Mr..........

Such a claim may seem too good to be true and it probably is.

The purchase of a who is faced with differing prices.

new computer is a minefield for the unwary buyer a bewildering array of equipment at wildly

Is it preferable, for example, to buy a new machine from a major manufacturer, or to go to a small OEM (original equipment manufacturer): or to a broker/consultant, to import from the USA

0 1982 Elsevier Science Publishers b.v. Amsterdam. No part of this publication may be

lil .SI:\ I lili reproduced, stored in a retrieval system, or transmitted in any form or by any means. electronic.

l\'l‘lil1s.vl'lo\ il. mechanical, photcopying. recording or otherwise, without the prior written permission of the publisher.

l3I‘I.I.F:I‘INS

Page 2: Security risks in buying a computer

-2-

(where prices are usually cheaper), to buy a "turnkey system", to lease or rent?

Choices What are the choices over Operating Systems, application and utility software, facilities management contracts or between bureau or timesharing operations or those dedicated and in house? Just what are the consequences of making the wrong decision; particularly if you are a first time buyer?

INDUSTRY BACKGROUND

In order to encourage technological development and to stimulate competition, many governments have introduced legislation restricting what manufacturers can do to discourage manufacture of compatible equipment or competitive marketing of their products.

So if computer manufacturers change the structure or architecture of their equipment in a way that cuts off the business of local manufacturers of peripheral equipment they may well find themselves in serious trouble. The law has a lot to answer for in the way the computer industry is now structured and for enabling many of the existing sharp practices to start and continue unpunished.

For example the practice of cross border or parallel trading has Drawbacks of free mushroomed on the fertile soil of "free trade". This practice trade arises because of the differences in the pricing of their products

in different markets by major manufacturers, and the computer industry is not alone in this respect. As stated earlier, traders can often purchase computer equipment much more cheaply in the US, modify it for European power requirements and then ship it to the UK where they hope to undercut the domestic prices of the larger manufacturers. Often equipment will be mixed and "systems" are on offer that might be cobbled together from the products of five or six manufacturers, usually selected on the basis of one factor - cheapness. It is not unlike importing a car engine from General Motors, the body from Ford, the transmission from Honda, the brakes from Colt and the windscreen washers from Renault. The result may actually run, but what about long term compatibility or service or repair?

As a result it has become possible for people without any technical backup to enter the computer market, to buy cheaply overseas, make cut-price power conversions and mix together components which often should never be mixed and which will not be maintained or serviced

The Buyer pays the by any reputable manufacturer. The unwary buyer, enticed by the price cheap prices that such operators are able to offer, is left to pick

up the bill when his supplier closes down or disappears. It is perhaps ironic that Government Departments, while working under tight budgets, are amongst the biggest customers of the computer industry's version of bucket shops.

In modern day computer systems, and particularly "minis", more than 30% of the total cost is made up of software. The most expensive

component is the Operating System: this software drives the computer, handles .input and output and generally makes the whole thing hang together. Underneath this comes "laid" or "layered" software such as compilers and interpreters which enable the machine to recognise specific languages such as COBOL or BASIC and below these are other packages for Accounts Payable, or Payroll usually called "application software".

Monopoly Most manufacturers have the monopoly on Operating System software.

Page 3: Security risks in buying a computer

-3-

Users must be licensed

This reflects the fact that computer manufacturers who design the machine also, as a consequence, tend to know best how to run it and to provide the software for others to do so.

So when manufacturers supply a central processing unit, they usually also supply the Operating System software. This will usually be on a disk and may, or may not, be accompanied by code listing and reference manuals. But most importantly, the manufacturer will also supply a license for the user to run the operating system.

Different manufacturers use different forms of licensing: some issue a formal certificate showing precise details of the machine on which the software is licensed, others simply issue a letter while others will be even more relaxed. The common point is that users are not permitted to run operating system software unless they are specifically licensed to do so. If they ignore this warning, and are caught out, heavy penalties can be imposed for breach of copyright and, in extreme cases, for theft. The copyright holding manufacturer may also refuse to license the system, so that in addition to all of the other problems, the user may be totally deprived of his computing facilities.

Licensing and software dues or royalties have become an extremely important element in the costing of a system and it is by the avoidance of these that some disreputable suppliers are able to gain and undercut genuine competitors. By pirating software the dishonest supplier can avoid up to 30% of his buying-in costs.

Sandwiched between the major manufacturers and users are a wide range of traders, the most important of which are usually called OHMS or original equipment manufacturers. The majority of OHMS supply a vital service and are honest. They purchase equipment from one or more manufacturers, develop or buy in application software and package it for sale as their own end system. They may even attach their own brand name to what is essentially a major manufacturer's machine. This is usually perfectly legal.

OHMS have to ensure that they obtain a software licence for every

Software pirating CPU supplied by them or run in-house by them for bureau or testing purposes. The temptation in some cases to copy software and sell it to a user without a licence can be extremely high if the OHM or one of his sub OHMS or broking customers is in serious financial difficulties. The physical copying of an operating system from one disk to another or to tape is a simple matter.

However, it is not so simple for the major manufacturers to check that each computer sold by them is finally licenced to the end user who runs it. Many CPUs are shipped by the manufacturers in an unfinished state and are assembled by OHMS either to make up a new machine or to repair an old one. These unassembled CPUs do not need a licence in their unfinished state and therefore keeping track and enforcing copyright on every CPU is very difficult. What is more, it appears that up to now the major manufacturers have refrained, for various reasons, from implementing policies to combat this problem effectively.

However, what might at first appear to be a blank cheque for dishonest operators could also turn out to be a pitfall for unlicenced users. Eventually, like it or not, with revenues on hardware dropping, the major manufacturers will decide to take a tough stand over software piracy. when they do a number of users

Volume 4 Number 12 ~OElsevier Internatmnal Hullvtins.

Page 4: Security risks in buying a computer

-4-

Criminal prosecution

will find themselves without a licenced installation and facing criminal and civil prosecution alongside their suppliers.

LESSONS FOR BUYERS

If you are thinking of buying a new system, here are some recommendations:

1. Specify exactly what your requirements are before seeing any supplier.

2. Invite at least three suppliers to evaluate and comment on the specification.

3. Set a date by which written tenders must be received. Do not open tender documents until that date. Then open the quotations in the presence of three or four senior managers.

4. Evaluate the tenders carefully: clarify any licensing issues including operating software and application packages.

5. If the supplier chosen is a small OEM or broker, visit his premises and check with existing customers. He may supply a list of "reference sites". Try to find other customers, not on this list, and visit them. Check how good the service is in practice. Take up trade references.

6. Obtain written confirmation on software licencing issues:

who will issue the licence what form will it be in will it enable you to take “back up" copies of operating systems and the software

7. Check how the machine will be supplied:

will it be supplied directly by the manufacturer will it be imported will it be obtained through a broker or other OEM

and that maintenance, if necessary, will be taken over by the major manufacturer.

Check your license If you already run a system and are not sure whether you are licenced to run it, the time to check is now. Ask your supplier for a copy of the licence document, which should specify the serial number of your machine, the exact version of the operating system concerned and any layered software. If you have any doubts, check with the major manufacturer whose system you use and try to obtain confirmation in writing.

If you approach the manufacturer voluntarily, he is unlikely to penalise you even if you are unlicenced, and in many cases will be prepared to issue a licence in exchange for your support against your supplier.

In the heady days when it appears that company X is giving the deal of a lifetime, caution can be thrown out of the window. Yet the potential problems of having your machine seized because it has "fallen off the back of a lorry", locked down because the software has been pirated or is not licenced or locked solid because the supplier has gone out of business, are all too real.

Volume 4 Number 12 IC8

Page 5: Security risks in buying a computer

-5-

SOFTWARE COPYRIGHTING ATTACKED

System software unchangeabZe

Documentation essantia2

Although the majority of suppliers are totally honest and ethical, there are some who are not. A pound saved at purchase could mean a thousand lost in maintenance, licencing penalties and system crashes. The cheapest system to purchase may not be the best in the long run.

Speaking at the "Success in Software" seminar this summer in Palo Alto, California, Edwin Lee, chief executive officer of Pro Log Corp., Monterey, Calif., said most software on the market today is legally protected by unreasonable licensing arrangements that "put the survival of systems companies at the mercy of software vendors".

Largely from financial motivation, Lee said, software vendors today are doing as much as possible to keep their products secret, both by employing legal protection measures such as copyrights and by providing poor quality or incomplete documentation.

"This practice is responsible in large part for accelerating the so-called 'software crisis"', he said "by making it necessary to create more and more programmers rather than providing easy access to tools that will increase the efficiency of existing programmers."

Lee explained that the software involved in system end-products consists of three levels: application software, system software and hardware drivers. The user typically designs his own hardware drivers and application software, over which he has complete control. The middle level - e.g. an operating system such as CP/M - is owned by an independent OEM and rented or leased to the user, who pays a royalty for each copy.

Thus, according to Lee, "the user gives up control over a fundamental portion of his product. He cannot modify or duplicate that portion. If he does, he violates the copyright, and the lessor can require him to destroy all existing copies. Thus the software vendor gains a life-or-death hold over his customers".

Furthermore, he said, patents involving hardware invention traditionally have been used to protect the inventor for a limited period , while at the same time disclosing the invention to promote a free exchange of ideas. Copyrights, on the other hand, were designed to reward an artist or novelist indefinitely for a creative act.

"By copyrighting software, we're treating that software as a work of art", Lee said. "But it's not - it's a professional design, just like hardware. Software copyrights not only keep a useful professional design under wraps forever; they also prevent any exchange based on that design."

But the real key to gaining control of the product design, Lee added, is good software documentation. "Most software comes with an operation manual that describes how to implement, interface and actually use the software. What's missing is the design manual, with specifications, descriptions, data structures, maps, flow charts and source listings."

The real test of the Pro-Log philosophy, Lee said, will come as Pro-Log begins to market its own software products. The company recently announced a series of sub-system-level modules to be sold

Volume 4 Number 12 0 Elsevier International Bulletins.