I'm evaluating inexpensive license managers for a customer of mine who would like to commercially distribute his software. I was evaluating what appeared to be a very easy to use product, Quick License Manager 4.0, when I came across a glaring security hole in their key authentication scheme:
They use symmetric "encryption" to determine if a key is valid.
That means you have to put the "password" to your whole serial number scheme into the software to check to see if a given serial number is valid. All information required to generate a new key is encoded into every executable of the program, including all the evaluation versions. You just open up a program that uses QLM with a text editor, find the call to the DefineProduct method of the COM object, and magically, you have all you need to plug back into their products.xml file to generate an infinite number of new codes. Even if you encrypt the data which you eventually pass to DefineProduct, any number of debuggers can easily snatch the parameters to the COM object call.
What does this mean for you? Say you make a program that catalogs your customer's pet fish collection. You sell it for $40. A reasonably intelligent guy named Mel downloads your free trial. He opens up the exe in a text editor, and looks through and sees the calls to QLM. Mel can now download a copy of QLM himself (they have a 15 day free trial....), and then not only can generate an unlocked license for himself, he can also generate as many license codes as he'd like. He can effectively sell copies of your product himself, at whatever price (free if he wants, just cheaper than you is also possible).
Quick License Manager is a strong avoid. If you have it, it is a strong replace now, and remove all download copies that are locked by it. Make sure whatever you replace it with uses asymmetric encryption.
--Michael
Thursday, March 13, 2008
Friday, February 01, 2008
Transferring your business email to its own account.
You were a good business owner and got yourself a domain when you started this wild ride known as running a business.
You've setup gmail to send emails out on behalf of your name at your domain a long time ago to present a professional image to the world. It works pretty well. Then one day you find a client can't send you emails.
Perhaps one that wants to pay you a lot of money, but wonders why you can't even get your email server straight. Or perhaps you sent one too many emails from your blah@gmail.com account or too many friends are emailing you @mycompanyemail. Whatever the issue is, you've decided to switch to the excellent Google Apps for My Domain and segregate your personal and business dealings a little.
First, sign up for GAFYD. Prove to them you own your domain if you didn't buy it from them.
I'm crossposting this on Pitch to the Gods and Rowdy Bytes. Pitch to the Gods is my blog about starting and running a business, in all its coolness and its surprising and frankly humbling difficulties. Rowdy Bytes is my recently renewed blog about technical things that I haven't seen elsewhere, or at least not prominently as I think they should be.
Now your next step, the switch over of the MX records, while arcane, is not a big deal. Almost equally importantly, you have to add a SPF record so mailservers don't start marking your mail as spam (which they may have already been doing if you didn't have a SPF record already). And no, I don't really know what either of those are, but I know they are important.
Next, you have to do something that should seem like it is simple. It isn't. That is, getting your email out of one gmail account into another.
At first blush you may say "Gmail has POP3! That surely will work". And you're right. It will. For exactly 200 messages. And it doesn't let you just get a folder's worth, oh no, you have to pull them ALL down. If you click edit settings then hit save settings, it will pull a second 200 down.
So with the 30756 messages I have in my gmail account, that would take a little bit of time. Then I have to filter it down to the ~1000 Rowdy Labs specific emails that I'm not interested in cleaning out at this juncture.
Turns out you have to get to your britches by way of your elbow here. The elbow being Windows Vista Mail and the elbow being my Rowdy Labs LLC Google Apps for Your Domain account.
This should work with any email client, but I'm giving you the steps for this particular client. First off: Create a new account. Use an imap server. Give it the login name you use with your personal gmail account. Hit save. Then, go rename it to "Personal Email". Then right click, go to properties, then set the thing to use secure authentication.
Do the same thing for the destination server, except call it "Work Email", and use the name@domain login you've already setup via Google Apps for Your Domain. Refresh the folders on both accounts.
Now this is very important. Turn off Junk mail filtering. Turn off phishing detection (Tools->Junk Email Options). These will try to filter mail you've already determined isn't junk when you are just copying stuff over. This is at worst annoying, at best, a good way to lose things that are really really important to your business (it caught a password email and a receipt payment for incorporation when I didn't follow this advice. Bad mail filter! Bad!)
Now go into each "Personal Email" folder (yes, your beautiful tags are called folders when viewed via IMAP), and copy the contents to a corresponding folder on the "Work" server. I made a new folder for each client and each lead source, then copied into each of them from a couple more monolithic tags in my personal email.
Depending on your messages, this will take awhile. It took 45 minutes to copy over my 1000 messages I cared about (and about 20 minutes to go through the remainder of the email I didn't delete before the move, but needed to transfer over).
Now go into your work email and setup some filters and liberally use the option that grabs the emails that are already there. You now have split your email. Work life balance will surely follow :o)
You've setup gmail to send emails out on behalf of your name at your domain a long time ago to present a professional image to the world. It works pretty well. Then one day you find a client can't send you emails.
Perhaps one that wants to pay you a lot of money, but wonders why you can't even get your email server straight. Or perhaps you sent one too many emails from your blah@gmail.com account or too many friends are emailing you @mycompanyemail. Whatever the issue is, you've decided to switch to the excellent Google Apps for My Domain and segregate your personal and business dealings a little.
First, sign up for GAFYD. Prove to them you own your domain if you didn't buy it from them.
I'm crossposting this on Pitch to the Gods and Rowdy Bytes. Pitch to the Gods is my blog about starting and running a business, in all its coolness and its surprising and frankly humbling difficulties. Rowdy Bytes is my recently renewed blog about technical things that I haven't seen elsewhere, or at least not prominently as I think they should be.
Now your next step, the switch over of the MX records, while arcane, is not a big deal. Almost equally importantly, you have to add a SPF record so mailservers don't start marking your mail as spam (which they may have already been doing if you didn't have a SPF record already). And no, I don't really know what either of those are, but I know they are important.
Next, you have to do something that should seem like it is simple. It isn't. That is, getting your email out of one gmail account into another.
At first blush you may say "Gmail has POP3! That surely will work". And you're right. It will. For exactly 200 messages. And it doesn't let you just get a folder's worth, oh no, you have to pull them ALL down. If you click edit settings then hit save settings, it will pull a second 200 down.
So with the 30756 messages I have in my gmail account, that would take a little bit of time. Then I have to filter it down to the ~1000 Rowdy Labs specific emails that I'm not interested in cleaning out at this juncture.
Turns out you have to get to your britches by way of your elbow here. The elbow being Windows Vista Mail and the elbow being my Rowdy Labs LLC Google Apps for Your Domain account.
This should work with any email client, but I'm giving you the steps for this particular client. First off: Create a new account. Use an imap server. Give it the login name you use with your personal gmail account. Hit save. Then, go rename it to "Personal Email". Then right click, go to properties, then set the thing to use secure authentication.
Do the same thing for the destination server, except call it "Work Email", and use the name@domain login you've already setup via Google Apps for Your Domain. Refresh the folders on both accounts.
Now this is very important. Turn off Junk mail filtering. Turn off phishing detection (Tools->Junk Email Options). These will try to filter mail you've already determined isn't junk when you are just copying stuff over. This is at worst annoying, at best, a good way to lose things that are really really important to your business (it caught a password email and a receipt payment for incorporation when I didn't follow this advice. Bad mail filter! Bad!)
Now go into each "Personal Email" folder (yes, your beautiful tags are called folders when viewed via IMAP), and copy the contents to a corresponding folder on the "Work" server. I made a new folder for each client and each lead source, then copied into each of them from a couple more monolithic tags in my personal email.
Depending on your messages, this will take awhile. It took 45 minutes to copy over my 1000 messages I cared about (and about 20 minutes to go through the remainder of the email I didn't delete before the move, but needed to transfer over).
Now go into your work email and setup some filters and liberally use the option that grabs the emails that are already there. You now have split your email. Work life balance will surely follow :o)
--Michael
Subscribe to:
Posts (Atom)
