Many interesting points here...but I'll stick to just one: At 2:56 AM 9/11/95, Douglas Barnes wrote:

On the legal front, it's not clear what you can do to someone even if you _can_ prove that the 100,000 pirate copies of Windows 95 circulating in Amsterdam stemmed from his copy. Machines get hacked, co-workers and family members often have free access to machines running software -- it's not clear that media companies _want_ to invoke the paranoia associated with potential responsibility for millions of dollars in damages if someone makes an illegal copy of one's software and the loaves and fishes ensue. [Imagine what great revenge this would make for jealous co-workers, ex-wives, etc.]

If a piece of mail addressed to me is found littering the highway, can I be convicted of littering? No, because the _provenance_ of that item of mail cannot be determined...it might have accidentally blown out of a trash truch delivering my mail to the dump, for example. Ditto for most schemes to serialize software. As Doug notes, the offending item might have been copied when I wasn't looking, copied by my girlfriend when I was away, or even copied at the factory or at the software store prior to my gaining control. Or copied after I discarded it. (Requiring owners of Microsoft Word to treat it like a state secret--more on state secrets in a minute--is impractical and unenforceable.) One thing serialization could do is to allow proof that a distributor had not acquired a particular copy/instance through normal channels. But it's usually obvious anyway when Joe's Really Cheap Warez has 200 copies of Microsoft Word, all with the same serial number. The "light signatures" scheme I've written about here could be used to authenticate the distribution media itself, though not the installed copies of course. (This would be like the Microsoft hologram, except in spades.) Since the technology for this is not available to home or business users, I don't see this as a viable approach. Another thing that could work to foil mass counterfeiters is to serialize the diskettes and include a hash of the serial number, as some lottery tickets now include. Counterfeiters could try two basic approaches: 1. Make up their own numbers. But they could not compute a valid hash, as they lacked the (presumably secret) knowledge to do so. With public key approaches, a customer could "authenticate" that at least Microsoft, say, must have generated the number. (This doesn't take care of multiple copies of the same serial number, which takes us to:) 2. Multiple copies of a single, valid serial number. Here, the counterfeiter directly copies both the serial number and its hash. (This approach doesn't work to counterfeit lottery tickets. The reason is left as an exercise for the reader.) One way I can think of to head this off is to have a registry of "taken" or "sold" numbers, in which serial numbers are deposited. A purchaser could consult this data base to see if the number on the package he is planning to buy is already registered. (There are complications about time delays, and so forth, but this would eventually limit multiple same number packages.) This discussion assumes that purchasers are interested in getting valid, non-counterfeit programs. Many are not, of course. Certain types of programs pretty much require support by the vendor, others don't. A standard discussion topic. I said I'd mention "state secrets" again. The usual example for making subtle modifications to documents to see who leaked it is the intelligence community, which gave us the term "barium" (because the changes look like barium in an x-ray diagnostic). In that case, the agencies can enforce their laws in a draconian way, sometimes merely by suspicion. And the workarounds we discuss, of DIFFing the files, are unlikely to be practical. ("Hey, Sid, can I borrow your copy of "Covert Operations in Bosnia" so I can DIFF it with my copy?") --Tim May ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."