Re: Ever see automatic 30-day trials for mainframe software?

[Timothy Sipples]

You can take a look at a couple IBM examples for inspiration such as:

- Enterprise COBOL Developer Trial
- CICS Transaction Server for z/OS Developer Trial

Another possibility available for certain types of products is to provide
Internet access (preferably via an encrypted connection) to an evaluation
system. Create an ID for the evaluator (or multiple IDs for multiple
evaluators) and let them take a spin. Then disable the IDs after a warning
period. That avoids much of the hassle of supporting evaluations.

Watermarking (Licensed to ACME Corporation, Contract ACME001) is an
interesting idea, though I think the best place to put watermarks is in
logs, traces, dumps, etc. that a customer would sometimes submit for
support purposes.

I'm a big fan of sub-capacity licensing terms, and that tends to help
support evaluations. Many potential customers are willing to license, say,
3 MSUs for one month for a relatively small amount of money before
committing to 300 MSUs. If you've got the license agreement in place, it's
then straightforward to increase the quantity on that basis.


Timothy Sipples
VCT Architect Executive (Based in Singapore)
E-Mail: sipp...@sg.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Bill Soper]

Makes me curious of the lists opinion on if z/OS LPARs are usually able to 
contact an internet site, or are commonly isolated? 
I seem to have formed the impression that it's quite common to have a path 
out/in (typically via firewalling...) is that impression accurate?
It would seem to me that having a product work during initialization, then 
contacting a license server using, say, the CPUID just as vendor keys often do, 
to see if this is a licensed install would potentially be an option too? Of 
course only useful where a network path to the provider is permitted so would 
be back to manual registration keys for those where it is not... 
And not suggesting that is hackproof either, and I note the anecdotes that some 
sites have done the wrong thing, although if they had to actively hack I 
suspect 'they' would pause. Enabling more automation through connectivity 
rather than the expiring keys that I also remember would seem a nicer solution.
Thoughts?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Elardus Engelbrecht]

Bill Soper wrote:

It would seem to me that having a product work during initialization, then 
contacting a license server using, say, the CPUID just as vendor keys often 
do, to see if this is a licensed install would potentially be an option too? 

What will you do if your bread-and-butter system can't get working around 08:00 
because the vendor or the route to the vendor is down? Your users are waiting 
and phones are ringing and you [only one with know-how] are on leave today...

Of course only useful where a network path to the provider is permitted so 
would be back to manual registration keys for those where it is not... 

If contacting the vendor is futile, then use a temp key valid for few days. 
That temp can be downloaded periodically replacing the old temp.

Good questions, but messy to apply...

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[John McKown]

This has been an interesting discussion. I understand why vendors lock
software to specific machines and dates. Especially in the non-corporate
world. But I had another evil thought. I wonder how many z/OS system exist
which are not connected to the Internet. Not accessible to the Internet,
but can access the Internet, to do things such as software delivery such as
IBM's SMPE can do.
Evil idea:
1) Have an execution key which encodes the valid CPUID and run date
interval (upper and lower date).
2) If the key is good, just run - but tell the user if the key is going to
expire within 30 days, via a nice WTO.
3) if the CPUID validates, but the date is expired:
3.1) IP connect to support site to log key expiration and then run
normally. Don't tell the user anything.
3.2) if you can't connect to the support site  the key expiration is less
than 31 days, issue a strong warning via a WTO.
3.3) if you can't connect to the support site  the key expiration is
greater than 30 days, refuse to run.
4) if the CPUID is invalid  the program _can_ IP connect to the vendor
site.
4.1) Use GeoIP to validate the incoming IP's country of origin.
4.1.1) If in a good country, allow software to run. Vendor documents and
sues user's company.
4.1.2) if in a bad country, execute nasty user code (see below)
5) if the CPUID is invalid  the program cannot IP connect to the vendor
site, execute nasty user code.

Nasty user code: Write some code which burns some CPU, the amount to burn
would need to be something that the nasty user would expect. Then go
through a fairly long chain of branches (to complicate branch tracing), and
finally abend with an S0C4-4 trying to overlay low core. If the user is
indeed a thief, then what is the likelihood that they will have an expert
which could resolve this problem? And they can't call your support because
that would give them away.

Evil quotient: too little; just right; too extreme.

-- 
There is nothing more pleasant than traveling and meeting new people!
Genghis Khan

Maranatha! 
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Joel C. Ewing]

On 03/28/2014 07:39 AM, John McKown wrote:
 This has been an interesting discussion. I understand why vendors lock
 software to specific machines and dates. Especially in the non-corporate
 world. But I had another evil thought. I wonder how many z/OS system exist
 which are not connected to the Internet. Not accessible to the Internet,
 but can access the Internet, to do things such as software delivery such as
 IBM's SMPE can do.
 Evil idea:
 1) Have an execution key which encodes the valid CPUID and run date
 interval (upper and lower date).
 2) If the key is good, just run - but tell the user if the key is going to
 expire within 30 days, via a nice WTO.
 3) if the CPUID validates, but the date is expired:
 3.1) IP connect to support site to log key expiration and then run
 normally. Don't tell the user anything.
 3.2) if you can't connect to the support site  the key expiration is less
 than 31 days, issue a strong warning via a WTO.
 3.3) if you can't connect to the support site  the key expiration is
 greater than 30 days, refuse to run.
 4) if the CPUID is invalid  the program _can_ IP connect to the vendor
 site.
 4.1) Use GeoIP to validate the incoming IP's country of origin.
 4.1.1) If in a good country, allow software to run. Vendor documents and
 sues user's company.
 4.1.2) if in a bad country, execute nasty user code (see below)
 5) if the CPUID is invalid  the program cannot IP connect to the vendor
 site, execute nasty user code.

 Nasty user code: Write some code which burns some CPU, the amount to burn
 would need to be something that the nasty user would expect. Then go
 through a fairly long chain of branches (to complicate branch tracing), and
 finally abend with an S0C4-4 trying to overlay low core. If the user is
 indeed a thief, then what is the likelihood that they will have an expert
 which could resolve this problem? And they can't call your support because
 that would give them away.

 Evil quotient: too little; just right; too extreme.

I seem to recall a case where the vendor wanted to change contract terms
at renewal in a way that was unacceptable to our corporate management
and it took several months of negotiations past the formal expiration of
license between our lawyers and theirs before a renewal agreement was
finally reached.  We had been a customer for at least a decade, had
other products from the vendor, and it was clear it was in both party's
interest that some agreement would eventually be reached; but we lived
on temporary keys for several months.  Any sort of automated validation
system would have to be flexible enough to allow for unusual cases like
this.

-- Joel C. Ewing, Bentonville, AR jcew...@acm.org

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[John McKown]

On Fri, Mar 28, 2014 at 9:06 AM, Joel C. Ewing jcew...@acm.org wrote:
 snip

 I seem to recall a case where the vendor wanted to change contract terms
 at renewal in a way that was unacceptable to our corporate management
 and it took several months of negotiations past the formal expiration of
 license between our lawyers and theirs before a renewal agreement was
 finally reached.  We had been a customer for at least a decade, had
 other products from the vendor, and it was clear it was in both party's
 interest that some agreement would eventually be reached; but we lived
 on temporary keys for several months.  Any sort of automated validation
 system would have to be flexible enough to allow for unusual cases like
 this.

 -- Joel C. Ewing, Bentonville, AR jcew...@acm.org


Yes. I forgot to mention temp keys and DR keys which, if would guess,
would be valid on _any_ processor until a given date, encoded in the key.
Any valid key results in execution without IP connection to the outside
world. I also like a previous poster's mention that a key file can contain
any number of keys and the program will run quietly so long as at least one
checks as valid. And, of course, stops checking keys once a valid keys is
read.

But all of this is just if the software is key locked. Personally, I
don't like such. But, then again, I am an FSF member.

-- 
There is nothing more pleasant than traveling and meeting new people!
Genghis Khan

Maranatha! 
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[retired mainframer]

It sure seems like Chicago-Soft has achieved a license mechanism for
QuickRef with near-minimal inconvenience:

 On their website you specify a CPU and request a key(1).
 They send an email with a binary attachment.
 You transfer that attachment to a z/OS dataset on DASD.
 It's never taken me more than 5 minutes.

(1) Since they don't currently offer trials, they perform some contract
verification tasks before you can request the key.  But that wouldn't be
necessary for a trial.  On those occasions where their lawyers and ours
haven't seen eye-to-eye, they have still given me temporary 30 or 60 day
keys until the i's get crossed and the t's get dotted.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Mike Schwab]

On Fri, Mar 28, 2014 at 6:44 AM, Bill Soper sop...@au1.ibm.com wrote:
 Makes me curious of the lists opinion on if z/OS LPARs are usually able to 
 contact an internet site, or are commonly isolated?
There are some systems that are totally disconnected.  Maybe 1-10%?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Steve Comstock]

On 3/26/2014 11:38 PM, Ed Jaffe wrote:

On 3/26/2014 9:20 AM, Charles Mills wrote:

Right. Good input. Thanks. I have shipped software with a hard-coded
expiration date. What I am looking for is a floating expiration date
that
would be 30 days after installation, whether installed today or a year
from
today.


Our trial software expires n days after download. The key is stored in
a load module. It would not be difficult to use the SHSCRIPT function of
SMP/E to create a module in a z/OS UNIX directory with expiry date
relative to install date. Food for thought for the future. :)

However, I really don't like the idea of an expiry date relative to
first execution. Implementation could get messy.



Also, what about the shop that tries to locate the
end date and zap it? You may say it doesn't happen
but I have heard tales...

-Steve Comstock

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Elardus Engelbrecht]

Steve Comstock wrote:

Also, what about the shop that tries to locate the end date and zap it? You 
may say it doesn't happen but I have heard tales...

True. I also heard it via grapevine.

Some software does integrity checks [CRC check?] on that date to prevent 
zapping. Rather, you can replace [1] a jump/branch to that part which examines 
that date, so no checking can be done at all. 

However, that will also fails if the checking part sets [sometimes 
periodically] a flag in memory which says I'm now licensed/legal and each 
functions of that software check that flag.

There are self modifying code [on PC] which modifies the storage areas where 
the program is loaded and then in that storage the keys/dates/etc are only 
revealed/checked. So what is written in the program on disk is not always the 
same when loaded in memory. I think that self modifying trick can't be done 
with REUS=RENT programs except those in key=0 on z/OS. [2]

Groete / Greetings
Elardus Engelbrecht

[1] - with some NOPs.
[2] - debuggers can override it, even with REFRPROT set.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[John McKown]

On Thu, Mar 27, 2014 at 12:38 AM, Ed Jaffe edja...@phoenixsoftware.comwrote:

 On 3/26/2014 9:20 AM, Charles Mills wrote:

 Right. Good input. Thanks. I have shipped software with a hard-coded
 expiration date. What I am looking for is a floating expiration date
 that
 would be 30 days after installation, whether installed today or a year
 from
 today.


 Our trial software expires n days after download. The key is stored in a
 load module. It would not be difficult to use the SHSCRIPT function of
 SMP/E to create a module in a z/OS UNIX directory with expiry date relative
 to install date. Food for thought for the future. :)

 However, I really don't like the idea of an expiry date relative to first
 execution. Implementation could get messy.


Much easier to have an expiry date relative to the download date. What
occurs to me to do is have a customized module. The web site asks the
person for the CPUID of the z machine. This is used to encrypt one of the
CSECTs. The CPUID is also recorded on the vendor's site so that the
application cannot simply be downloaded multiple times (limit to something
like n times from the date/time of the first download for a maximum of
n days, then deny another download for the same CPUID after those n
days. The code would decrypt the CSECT at execution time using the running
system's CPUID. Then validate some offset in the CSECT to make sure it has
the proper eye catcher to validate that the decryption gave back the proper
information. A different, worse?, way would be to distribute that CSECT as
object code. At execution time decrypt the object code and invoke the
Binder API to convert it on-the-fly into executable code. I don't know if
the Binder API can do a load and go like this or not.



 --
 Edward E Jaffe
 Phoenix Software International, Inc
 831 Parkview Drive North
 El Segundo, CA 90245
 http://www.phoenixsoftware.com/


 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




-- 
There is nothing more pleasant than traveling and meeting new people!
Genghis Khan

Maranatha! 
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Elardus Engelbrecht]

John McKown wrote:

I don't know if the Binder API can do a load and go like this or not.

It can. You can invoke Binder from a program using ATTACH EP=IEWBLDGO and LOAD 
EP=IEWBLDGO.

SubCapacity job does that similar thing. You use EXEC PGM=LOADER with your list 
of software used and a SYSLIN which contains a copy of the module in 
pre-formatted text lines.

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Mark Jacobs]

Speaking for myself only, I agree 100% with Phil. I HATE with a passion 
mainframe vendor software with license keys, codes, all the myriad ways 
they use to make my life difficult, adds work to my team, and puts my 
company at risk if a vital piece of our infrastructure fails for 
licensing problems.


If it was up to me, when we do our software evaluation process, any 
product that has these restrictions goes to the bottom of the list of 
products that we're going to look at.


Just my $.02

Mark Jacobs

On 03/27/14 10:24, Phil Smith wrote:

Steve Comstock wrote:

Also, what about the shop that tries to locate the
end date and zap it? You may say it doesn't happen
but I have heard tales...

OK, I know this is going to turn into a religious issue, but here's my $0.02.

In 30+ years I've never seen this. I've seen ONE case where a customer was 
using licensed software illegitimately (on an extra CPU)-and that was an 
oversight: when it was recognized, it was a full-price bluebird for the sales 
rep, who was NOT unhappy at all.

I realize there are issues with Certain Countries whose reputation suggests 
that such practices might be common, but without hard proof, I'm not inclined 
to invest a lot of effort-initial and ongoing-in a CPUID protection scheme; it 
just doesn't seem worth it. And if the alternative is that those countries 
simply wouldn't buy the software anyway, then it's really not a cost to the 
vendor. YMMV.

Of course any sysprog worth his or her salt could hack such a scheme in 
minutes; this is the same as having unalarmed windows on your locked house: any 
thief who's interested can get in via a broken window. The question is whether 
it's also worthwhile to lock the front door and stop the casual intruder (and 
yes, I realize that seems to be arguing against my thesis-but locking your 
front door is low-cost and low-impact, as opposed to building, maintaining, and 
staffing 24x7 a CPUID mechanism).

SAS C used to have a nice, simple scheme: the compiler would say SAS C LICENSED TO company 
whenever it ran. You could run it on the wrong CPU, but it would whine (I forget whether it also said Hey, 
dude, wrong CPU!). The theory (I assume) was that no serious company would run software that basically yelled 
Look! Stolen! every time, but in a pinch, you could get critical work done. Seemed elegant to me.

As ever, I'd ask the question: What problem are you trying to solve with a 
CPUID scheme? That is, what's the REAL problem THAT YOU ARE HAVING? Or is it a 
theoretical problem? If the latter, consider the cost before investing: is your 
software so magical that it never needs support? If it does tend to need some 
support, then you'll find the cheaters eventually, and have 'em over a barrel 
price-wise...

...phsiii

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN





--
Mark Jacobs
Time Customer Service
Tampa, FL


The quiet ones are the ones that change the universe...
The loud ones only take the credit.

Londo Mollari - Babylon 5

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Phil Smith]

Steve Comstock wrote:
Also, what about the shop that tries to locate the
end date and zap it? You may say it doesn't happen
but I have heard tales...

OK, I know this is going to turn into a religious issue, but here's my $0.02.

In 30+ years I've never seen this. I've seen ONE case where a customer was 
using licensed software illegitimately (on an extra CPU)-and that was an 
oversight: when it was recognized, it was a full-price bluebird for the sales 
rep, who was NOT unhappy at all.

I realize there are issues with Certain Countries whose reputation suggests 
that such practices might be common, but without hard proof, I'm not inclined 
to invest a lot of effort-initial and ongoing-in a CPUID protection scheme; it 
just doesn't seem worth it. And if the alternative is that those countries 
simply wouldn't buy the software anyway, then it's really not a cost to the 
vendor. YMMV.

Of course any sysprog worth his or her salt could hack such a scheme in 
minutes; this is the same as having unalarmed windows on your locked house: any 
thief who's interested can get in via a broken window. The question is whether 
it's also worthwhile to lock the front door and stop the casual intruder (and 
yes, I realize that seems to be arguing against my thesis-but locking your 
front door is low-cost and low-impact, as opposed to building, maintaining, and 
staffing 24x7 a CPUID mechanism).

SAS C used to have a nice, simple scheme: the compiler would say SAS C 
LICENSED TO company whenever it ran. You could run it on the wrong CPU, but 
it would whine (I forget whether it also said Hey, dude, wrong CPU!). The 
theory (I assume) was that no serious company would run software that basically 
yelled Look! Stolen! every time, but in a pinch, you could get critical work 
done. Seemed elegant to me.

As ever, I'd ask the question: What problem are you trying to solve with a 
CPUID scheme? That is, what's the REAL problem THAT YOU ARE HAVING? Or is it a 
theoretical problem? If the latter, consider the cost before investing: is your 
software so magical that it never needs support? If it does tend to need some 
support, then you'll find the cheaters eventually, and have 'em over a barrel 
price-wise...

...phsiii

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[John McKown]

A bit OT for this, but I buy e-books (PDF) from a publisher who has some
really good stuff. It is not DRM'ed. But what the publisher does is take my
order on the Web. And I must pay for it with a credit card. No big deal.
But that means that he knows my name. A short time later, I get an email
with a URL to download my book(s). And on each page of that book is a lower
border which says somthing like: This book was purchased by John McKown
for his use. Please don't steal!

No, it won't stop a criminal. But, really, how many criminals are going to
buy a customized book and resell it? Especially a technical programming
book. I think it is rather clever.


-- 
There is nothing more pleasant than traveling and meeting new people!
Genghis Khan

Maranatha! 
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[R.S.]

W dniu 2014-03-27 15:37, Mark Jacobs pisze:
Speaking for myself only, I agree 100% with Phil. I HATE with a 
passion mainframe vendor software with license keys, codes, all the 
myriad ways they use to make my life difficult, adds work to my team, 
and puts my company at risk if a vital piece of our infrastructure 
fails for licensing problems.


If it was up to me, when we do our software evaluation process, any 
product that has these restrictions goes to the bottom of the list of 
products that we're going to look at.

Agreed.
Two points:
1. IBM does not use license keys. Even for products from aquisition.
2. Who do use mainframes? Usually large companies (*). I doubt that any 
serious company would want to run unlicensed software.



(*) Exceptions apply. I know private person having parallel sysplex. 
Just for fun. Legal. (very small machines, z/OS.e)


--
Radoslaw Skorupka
Lodz, Poland






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl 
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2014 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.696.052 zote.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Ever see automatic 30-day trials for mainframe software?

[Charles Mills]

It is common in the PC world for software to be offered for a 30-day trial
that works automatically. You download the software, install it, and it
somehow knows when it was installed and quits 30 days later unless
purchased. Typically, it knows by hiding some magic file or registry entry
somewhere that has the original install date.

On the mainframe side, I don't think I've ever seen an automatic 30-day
trial, largely because magic hidden files are of course greatly frowned
upon in this space. Mainframe 30-day trials in my experience require vendor
administration to generate some sort of 30-day key. 

Obviously, there would be advantages to a vendor if they could offer a
freely-downloadable trial of mainframe software that expired
automatically. No one is going to install mainframe software on a whim,
but eliminating the administrative burden of issuing a 30-day key has a
distinct advantage. (Please, let's for the sake of argument not digress into
the are keys good or bad? debate. For certain mainframe software, keys are
here to stay, like it or not, and that's a different topic.)

Has anyone ever seen mainframe software that automatically expired 30 days
after installation? If so, any rough idea how that worked? (Presumably, not
a magic hidden file LOL.)

Thanks,

Charles 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Staller, Allan]

I just happen to be installing a SAS upgrade as I am writing.

A (90 day) temp key is provided (with the distribution - no request needed) to 
support the installation (SAS used to install SAS). 
On/before the end of that period a regular perm key must be installed.


snip

Has anyone ever seen mainframe software that automatically expired 30 days 
after installation? If so, any rough idea how that worked? (Presumably, not a 
magic hidden file LOL.)
/snip

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Elardus Engelbrecht]

Charles Mills wrote:

It is common in the PC world for software to be offered for a 30-day trial 
that works automatically. You download the software, install it, and it 
somehow knows when it was installed and quits 30 days later unless 
purchased. Typically, it knows by hiding some magic file or registry entry 
somewhere that has the original install date.

They're also called 'nagware'. They're nagging constantly, interrupting your 
work, with 'buy me' prompt or something like that.

Some of those software were really clever that if you adjust your clock, they 
will disable themselves properly... 


On the mainframe side, I don't think I've ever seen an automatic 30-day 
trial, largely because magic hidden files are of course greatly frowned upon 
in this space. Mainframe 30-day trials in my experience require vendor 
administration to generate some sort of 30-day key.

True. You get also temp keys for DRP or switch over to new footprint. Whatever 
it is, you have to involve your vendor.


Obviously, there would be advantages to a vendor if they could offer a 
freely-downloadable trial of mainframe software that expired automatically. 
No one is going to install mainframe software on a whim, but eliminating the 
administrative burden of issuing a 30-day key has a distinct advantage. 

Indeend! I really would like that, but over the years I never see such animals. 
It is either licensed (vendor supplied) or freebies at your own extreme risk 
(CBTTAPE for example).


... For certain mainframe software, keys are here to stay, like it or not, and 
that's a different topic.

The more expensive the software, the more weird are the keys and the [slow, 
slower, slowest] administration of it. ;-D


Has anyone ever seen mainframe software that automatically expired 30 days 
after installation? If so, any rough idea how that worked? (Presumably, not a 
magic hidden file LOL.)

No. Never. But I wonder about IBM-MAIN members own software. How are THEY 
working with licensing and key management?

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Mullen, Patrick]

The CICS Betas released over the last few releases (I believe betas
were/are available for 4.2, 5.1  5.2) have built in expiry dates. IBM
states that the betas Contain a disabling device that will prevent it
from being used after the test period ends.

http://www-01.ibm.com/software/htp/cics/openbeta/



-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Charles Mills
Sent: Wednesday, March 26, 2014 10:36 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Ever see automatic 30-day trials for mainframe software?

It is common in the PC world for software to be offered for a 30-day
trial that works automatically. You download the software, install it,
and it somehow knows when it was installed and quits 30 days later
unless purchased. Typically, it knows by hiding some magic file or
registry entry somewhere that has the original install date.

On the mainframe side, I don't think I've ever seen an automatic
30-day trial, largely because magic hidden files are of course greatly
frowned upon in this space. Mainframe 30-day trials in my experience
require vendor administration to generate some sort of 30-day key. 

Obviously, there would be advantages to a vendor if they could offer a
freely-downloadable trial of mainframe software that expired
automatically. No one is going to install mainframe software on a
whim, but eliminating the administrative burden of issuing a 30-day
key has a distinct advantage. (Please, let's for the sake of argument
not digress into the are keys good or bad? debate. For certain
mainframe software, keys are here to stay, like it or not, and that's a
different topic.)

Has anyone ever seen mainframe software that automatically expired 30
days after installation? If so, any rough idea how that worked?
(Presumably, not a magic hidden file LOL.)

Thanks,

Charles 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Charles Mills]

Right. Good input. Thanks. I have shipped software with a hard-coded
expiration date. What I am looking for is a floating expiration date that
would be 30 days after installation, whether installed today or a year from
today.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Mullen, Patrick
Sent: Wednesday, March 26, 2014 9:07 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Ever see automatic 30-day trials for mainframe software?

The CICS Betas released over the last few releases (I believe betas were/are
available for 4.2, 5.1  5.2) have built in expiry dates. IBM states that
the betas Contain a disabling device that will prevent it from being used
after the test period ends.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Tony Harminc]

On 26 March 2014 12:20, Charles Mills charl...@mcn.org wrote:
 Right. Good input. Thanks. I have shipped software with a hard-coded
 expiration date. What I am looking for is a floating expiration date that
 would be 30 days after installation, whether installed today or a year from
 today.

It depends to a great extent on the nature of the product. If it
contains/provides its own database of some sort, then there's no need
for a magic hidden file; it can just store  the key info and install
date in some obscure corner of the database. Likewise, if the program
is APF authorized by its nature, there are plenty of legitimate places
it can store the info - most obviously in the security system, and as
dataset or file metadata.

But it all depends on what you're trying to accomplish. I imagine it's
a matter of convenience for you and prospective customers. But if you
are seriously worried about unauthorized use (say, beyond the time of
a trial), then there are all sorts of other considerations that have
been discussed at some length here in the past. These days even the
act of hiding key and data info somewhere may provide you (in the US,
at least) with a DMCA stick to threaten your customers with should
they attempt to figure out where and how you've hidden things. But I'm
sure you wouldn't want to even think of that.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Mike Schwab]

Haven't seen anything.  Possibilities would be a date in the program
and if past that date the program stops.  Site would need to keep
updating the download to reflect a later date.  Or detect the create
date of the library the program is installed in, or save the install
date into a member, possibly store as packed data or time stamp to
hide the value.

On Wed, Mar 26, 2014 at 11:20 AM, Charles Mills charl...@mcn.org wrote:
 Right. Good input. Thanks. I have shipped software with a hard-coded
 expiration date. What I am looking for is a floating expiration date that
 would be 30 days after installation, whether installed today or a year from
 today.

 Charles

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
 Behalf Of Mullen, Patrick
 Sent: Wednesday, March 26, 2014 9:07 AM
 To: IBM-MAIN@LISTSERV.UA.EDU
 Subject: Re: Ever see automatic 30-day trials for mainframe software?

 The CICS Betas released over the last few releases (I believe betas were/are
 available for 4.2, 5.1  5.2) have built in expiry dates. IBM states that
 the betas Contain a disabling device that will prevent it from being used
 after the test period ends.

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



-- 
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[R.S.]

W dniu 2014-03-26 16:36, Charles Mills pisze:

[...]
Has anyone ever seen mainframe software that automatically expired 30 days
after installation? If so, any rough idea how that worked? (Presumably, not
a magic hidden file LOL.)


Yes. How does it work? It depends, I've seen various methods. One of 
them is to record some data in magic file.


--
Radoslaw Skorupka
Lodz, Poland






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl 
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2014 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.696.052 zote.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Chuck Arney]

I once did this with a VSE software product.  However, when I created the
z/OS version of that product I decided the advantage of the automatic trial
period was just not worth the risk in an MVS environment.

There are easy enough ways to determine when something has been installed
for a period of time, but the trick is to be able to determine that when the
product is completely reinstalled.  The current date can be checked against
something like the creation date in a library DSCB or a PDS directory entry
stat.  But, the real problem is that you need to leave some track that will
persist beyond the complete removal of the product and a reinstall from
scratch.  That is a big problem in a secure environment, and if you do find
a way it would be still be considered unethical by most people.

I don't know what type of product you are considering this for but something
else to consider is the competitors for the product.  Some product areas see
very fierce competition.  I also ran into the situation where a competitor
downloaded my product and ran it on their system with the automatic trial
period.  I quickly lost my enthusiasm for that technique.

All in all, in my opinion it is just not worth it.  Authorization keys are a
necessary evil for most ISVs but the tricks you would have to play to
automate it and still maintain control are not worth the potential problems.


Chuck Arney
Arney Computer Systems
Web: http://zosdebug.com
Facebook: http://www.facebook.com/arneycomputer


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of R.S.
Sent: Wednesday, March 26, 2014 3:15 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Ever see automatic 30-day trials for mainframe software?

W dniu 2014-03-26 16:36, Charles Mills pisze:
 [...]
 Has anyone ever seen mainframe software that automatically expired 
 30 days after installation? If so, any rough idea how that worked? 
 (Presumably, not a magic hidden file LOL.)



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Ed Gould]

On Mar 26, 2014, at 10:36 AM, Charles Mills wrote:


Has anyone ever seen mainframe software that automatically  
expired 30 days
after installation? If so, any rough idea how that worked?  
(Presumably, not

a magic hidden file LOL.)



Charles:

I have. Its *USUALLY* hidden in the key . Its been a while so I  
cannot remember exact cases.

At one time (IIRC) it took an IPL to update the key.
I am pretty sure that has been eliminated.
As to Good/Bad it really depended on the product. *SOME* products are  
an easy install, others take 30 days just to read the installation  
manual.
Then there are what I call throw away products. They are just that,  
throw away (I won't go into names). Those are a waste of time IMO and  
e shouldn't be discussing them on here.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Andrew Rowley]

On 27/03/2014 2:36, Charles Mills wrote:


On the mainframe side, I don't think I've ever seen an automatic 30-day
trial, largely because magic hidden files are of course greatly frowned
upon in this space. Mainframe 30-day trials in my experience require vendor
administration to generate some sort of 30-day key.


The idea of magic hidden files might be frowned upon, but I think that 
is more due to the description. If you store data for use by your 
program in an obscure location, using standard, documented interfaces I 
don't see it as a problem. I worry more about software requiring 
authorized libraries and software that installs hooks into system 
services than software that might store a piece of data somewhere for 
its own use.


The difficlty is working out a location that would work on all customer 
systems. An idea might be something along the lines of storing a date 
and hash into the application load library on installation, then storing 
a hash of the hash somewhere in storage on first run so that if you 
reinstalled you also had to re-IPL (or find and delete the stored value).


The aim is not to create something foolproof and unhackable, it is 
really to remind the customer that they are supposed to be paying for 
the software, and make it at least inconvenient to bypass. PC 30 day 
trials are similar - you can probably use registry monitors etc. to find 
where the data is stored and delete it, and some people might do that, 
but the aim is to remind the honest customer to purchase.


I think the real reason most mainframe software requries you to contact 
the vendor for a trial is price. With high prices comes the assmption 
that a sales person will be involved (and vice versa - if a sales person 
is involved prices need to be set at a level that will support them!) 
The last thing sales people want is to have people interested in the 
software, but not know who they are. So the real reason for having to 
contact the vendor and request a key is to provide a lead for a sales 
person - not because of technical difficulties implementing a trial period.


Andrew Rowley


--
and...@blackhillsoftware.com
+61 413 302 386

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Phil Smith]

The Sterling Software division I worked for did this, on VM, not MVS. The CPUID 
file was very robust, had in it:

-  Soft expiration (start warning)

-  Expiration (warn loudly)

-  Hard expiration (stop working)

The file could contain keys for multiple CPUs, so you didn't have to keep track 
of which one was for which CPU, and if it read one that was expired, the parser 
would keep reading. So while there was hygienic value in keeping the file 
clean, it didn't hurt if you didn't. It also supported timed emergency keys, 
that would run on any CPU. So the on-call person had a list of those, updated 
every week (with a several-week timeout, so a missed update wasn't a crisis, 
either). And of course a short-term key could be easily (and automatically) 
generated for a given CPU serial number.

The CPUID consisted of human-readable hex groupings with blanks between them, 
ignored extra/missing blanks, linends, blank lines, and comments, and was thus 
easy to read over the phone, FAX, cutpaste, etc. All very civilized; aside 
from the fact that customers would let things get to crisis state and call at 
3AM Sunday, it worked very well.

(As opposed to another place I worked, where the CPUID for a Linux machine was 
a human-readable blob of hex with no spaces-impossible to read reliably-and the 
stupid thing that processed it insisted on no spaces and on Linux-style 
linends, so if you got one emailed to you on Windows and FTPed it, it wouldn't 
work until you dos2unix-ed it, which was just dumb. And it had no redundancy, 
no tolerance for anything. Really, really irritating.)

ObAnecdote:
A friend once wandered into his data center (remember having one of those 
nearby?) and looked at the operator's console, saw product WILL EXPIRE IN 3 
DAYS! CONTACT STERLING SOFTWARE!
He said something gentle along the lines of What the *!#$? Why are you 
ignoring that?
The operator glanced at it and said, Oh, product always says that. Um, no - 
only for the last 27 days!
I believe that operator was soon looking for a job. Or at least should have 
been.

...phsiii

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Shmuel Metz (Seymour J.)]

In
3253568952062076.wa.elardus.engelbrechtsita.co...@listserv.ua.edu,
on 03/26/2014
   at 10:55 AM, Elardus Engelbrecht elardus.engelbre...@sita.co.za
said:

They're also called 'nagware'. They're nagging constantly,

Those are the ones that I decide not to buy.

interrupting your work, 

The smart vendors whine when you initially start the application and
then leave you alone until the next time you start it; oddly enough,
those are usually the ones that I decide are worth buying. I've also
had products that I couldn't evaluate adequately within the permitted
period; the vendor invariably gave me an extension and in every case
that I recall ultimately got my money.

Some of those software were really clever that if you adjust your
clock, they will disable themselves properly... 

If I have to go through that much hassle, the evaluation is over -
thanks but no thyanks.

True. You get also temp keys for DRP or switch over to new
footprint. Whatever it is, you have to involve your vendor.

ObPogo Alas, sometimes the problem is not the vendor.

It is either licensed (vendor supplied) or freebies at your own
extreme risk (CBTTAPE for example).

Paying for software is no guaranty of adequate support, and some of
the best software support that I have gotten has been for free
software. Thank you, Bruce and all the others.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Ed Gould]

On Mar 26, 2014, at 6:44 PM, Andrew Rowley wrote:


On 27/03/2014 2:36, Charles Mills wrote:

On the mainframe side, I don't think I've ever seen an automatic  
30-day
trial, largely because magic hidden files are of course greatly  
frowned
upon in this space. Mainframe 30-day trials in my experience  
require vendor

administration to generate some sort of 30-day key.


The idea of magic hidden files might be frowned upon, but I think  
that is more due to the description. If you store data for use by  
your program in an obscure location, using standard, documented  
interfaces I don't see it as a problem. I worry more about software  
requiring authorized libraries and software that installs hooks  
into system services than software that might store a piece of data  
somewhere for its own use.


Andrew:

This is not quite the same but something remotely similar.
A LONG time ago (GT 40) years a vendor who thought he as clever  
needed to store a jobname in low memory.
This was fine except MVS needed 2 PSA's (or more) so the the problem  
arose that you had to assemble the nuc with a DC of 640  ((max 80  
job names).
At the beginning it was OK. e started having issues when the #'s of  
UCB's reached over 1200 (or some number my memory is fuzzy here).  
Then to add to the issue the product did not always clear the entry  
in the table and it would fill up if we didn't IPL for a few days.  
One of the sysprogs had to write a program to see if the job was  
still running and if not clear the entry.


We had major management screaming at us as they couldn't order any  
more DASD and operations screaming at us because of the JOBNAME issue.


We just old them to talk to the vendor as we didn't write the code. I  
think the vendor finally fixed the jobname issue as the problem seem  
to disappear after maintenance but the UCB was a PIA for quite some  
time as we seemed to be the only customer ho complained.

The vendor as little if any help.

CA bought them out 2 years or so later.

Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Andrew Rowley]

On 27/03/2014 14:40, Ed Gould wrote:

This is not quite the same but something remotely similar.
A LONG time ago (GT 40) years a vendor who thought he as clever needed
to store a jobname in low memory.


That's why I specified using standard, documented interfaces. It might 
be as simple as name/token services. I'm not sure what options you have 
to store something that lasts longer than the address space if you are 
not APF authorized, but in that case you shouldn't be able to do damage 
either.


There are many products out there that hook into the systems in ways 
that are not documented or supported by IBM to perform thier core 
functionality. This is equally as dangerous (or more) than something 
simply storing a value somewhere. Most sysprogs would have some 
experience with one or another vendor product causing a problem with its 
hooks. That core function is probably more reason to be cautious with an 
evaluation than the method of tracking the evaluation period.


Andrew Rowley

--
and...@blackhillsoftware.com
+61 413 302 386

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Ever see automatic 30-day trials for mainframe software?

[Ed Jaffe]

On 3/26/2014 9:20 AM, Charles Mills wrote:

Right. Good input. Thanks. I have shipped software with a hard-coded
expiration date. What I am looking for is a floating expiration date that
would be 30 days after installation, whether installed today or a year from
today.


Our trial software expires n days after download. The key is stored in 
a load module. It would not be difficult to use the SHSCRIPT function of 
SMP/E to create a module in a z/OS UNIX directory with expiry date 
relative to install date. Food for thought for the future. :)


However, I really don't like the idea of an expiry date relative to 
first execution. Implementation could get messy.


--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN