Techy: How I investigated Counterpath Bria’s licensing issue

February 14th, 2010 by Richy B. No comments »

On Saturday the 12th of February 2010, myself and many other users of the popular Counterpath Bria VOIP Software started getting the message “The data received from the license server appears to be corrupted. Please try again and if the problem persists, contact Counterpath Support.”, but without any idea of what caused it. Many people contacted Counterpath’s support forums, but as of the time of posting the only official status we have is “It is being investigated”. However, I took it upon myself to try and figure out what had gone wrong and then if I could “work around” the issue.

I knew from the error message that Bria was trying to contact the licensing server to validate the license, so the first step was to investigate what was being transmitted. Luckily, I had the very handy Charles Proxy and after installing its CA Certificate (so Bria didn’t complain about an invalid certificate authority when retrieving the data via Charles), I could see the communicaitons.

Bria made a post to https://secure.counterpath.com/Service/LicensePool.sv/RegisterClientBinding with my license key, a hash of something on my machine, the type of product I’m checking the license for (Bria), the time my computer thinks it is, and identifying hashes of my machine (in particular, hard disk, motherboard and Mac address) – this data is sent to try and reduce “license sharing”. In return, Counterpath sent back the same information, including an expiration date and duration of the license (30 days), instructions to recheck the license after 24 hours and then every 4 hours (+/- 30%), confirmation the license if valid and then they signed the response using an X509 digital signature. Why have they signed it? Well, otherwise it would be reasonably simple for somebody of about my technical knowledge to be able to intercept the SSL stream and modify the data to always have approved licences (and, no, I’m not going to say how I would do this – but I can think of 2 ways straight way).

As all the other data looked correct (Counterpath used descriptive XML tags which did really help in this process: although since it’s just communicating between their servers and their products, I would have personally obfuscation it just for a little more ‘security’: yes, I know “security by obfuscation” isn’t good security practice, but sometimes “every little helps”), I then investigated the X509 certificate. I copied and pasted it into a new text document, called it “x509.crt” and just let Windows’ certificate explorer show be the details – and it was immediately obvious what the fault was. The expiration date on the certificate was dated 2 days ago.

So about 5-10 minutes of investigation and I knew to roll back my computer clock to pre 12th February 2010. Run Bria to get it to reacquire a new license and viola everything working (well, hopefully for 24 hours until the license starts revalidating). I just wish Counterpath had actually provided the “roll back your clock” workaround on their forum: Bria is an excellent product and I’m just disappointed that because somebody dropped the ball and forgot to renew a 2 year old X509 certificate (which would be easily done as that length of time people would have left and the details would have just been forgotten to be passed on), their reputation and good product range may be tainted. I’m guilty myself of letting the SSL certificate on my online dance wear site expire for a couple of days (mainly because the certificate provider wouldn’t let me renew the certificate until after it had expired!) so I know how easily it can be done – I now have a 3 year certificate so it might again happen to me in 3 years time.

What has this taught us: If you use a secure certificate (for your website or code), keep a note of the date it is due to expire and set reminders. Your certificate provider might send you emails to remind you – but don’t rely on them. Communicate with your customers and if a problem could take more than a couple of hours to fix, propose a workaround (such as rolling back your computer’s clock) – they might not like it, but at least you are doing “something”. And signing license files with your own digital signature is a good idea (yep, I bet you weren’t expecting that!) as it stops people easily bypassing it – but just remember to keep your digital signature up to date!

[n.b. might just be worth mentioning that I investigated this all on my own – Counterpath or any third party did not ask me to investigate it. However, within an hour of me posting on their forums with the information I had found, the problem was fixed. Coincidence or were they already waiting for the new certificate to be approved/installed? I don’t know, but I like to speculate ;) )

Cost of sales – makes you wonder why you bother

January 23rd, 2010 by Richy B. 1 comment »

It’s amazing how quickly cost of sales tot-up. An item I am going to be selling costs me £12 to purchase from the supplier (as long as I buy more than £200 at a time and pay before shipping and don’t want express shipping) – however, to sell it, I’ve got to add postage costs of £2.24 to get it to the customer (well, I will come the 1st of April when UK postage prices go up again), then I’ve got to add VAT at 17.5% on top, then I’ve got to add Paypal fees of 20p and 3.4% on top of that – giving me the final “cost of sale” of £19.54 – that’s £7.54 I’ve got to pay to third parties just to sell this item. One of my more expensive items costs me £21 to purchase, and the cost of sale is £31.19 as Paypal and the VAT man both want a larger cut….

I’ve then got to try and make a profit on it, remember that if I do make a profit I’ll then have to put around 30% of it to one side to pay as Corporation Tax – I’ve also got to try and account for “shrinkage” (i.e. when a package gets lost in Royal Mail’s systems and I’m not able to reclaim the full amount), got to try and account for the costs of running the server and website I’m running the site from (around £120 per month, plus bi-yearly domain registration fees and SSL certificate costs), any bank/charges and interest, telephone line usage (even if it’s just for incoming calls, I’ve still got to pay line rental), £35 monthly accountancy fees, £15 annual return fees and various other little bits and bobs (insurance/storage costs etc): and that’s all before I can even consider paying myself some money for the time and effort I’ve put in. Oh and if I do start paying myself money, I’ve then got to pay National Insurance contributions, Employers and Employees tax, Payroll fees and other little annoying bits…

I do sometimes ask myself why I’m bothering: all this work for very little (if any payoff) – but if I was just unemployed, I’ll actually end up, at the end of the day, with more money… Meh!

Moan: Single occupancy hotel prices

January 15th, 2010 by Richy B. No comments »

I’ve watched some of Channel 5′s “The Hotel Inspector” about Walpole Bay Hotel in Margate and I thought I’d go to their website to see if they were still in business and they are. However, I then saw their Rooms and rates prices which offered “Prices below are per room per night including breakfast ” – but then said “In a double or twin room is £50 per night increasing to £60 during high season” (note a “Standard double” during “Low season” is £60 so you are nearly doubling the price – and also note that they don’t actually offer single rooms, nor is there a single supplement charge on their sleeps 3 Family Rooms or sleeps 4 Family Suites!).

If you are charging by the room, why does it matter how many people are in it? And if you are including breakfast in the price of a double/twin room and there is only one person staying, doesn’t that actually *save* you money? And what happens if you actually book it for two people, but one person is ill and can’t make it or has to go home half-way through.

I wish this practice would stop – either charge per person or charge per room: don’t do both!

PHP Profilers – A Quick summary

December 29th, 2009 by Richy B. No comments »

More an aid to memory then anything, here’s the PHP profilers I’ve recently heard about:

XDebug by Derick Rethans
The oldest and most well known profiler. Needs modification of the server’s PHP file to run. Compatible with KCachegrind/WinCacheGrind, MacCallGrind and Webgrind and remote debugging tools. Produces quite large debug files (typically 900Kb to 10Mb compare to XHProf’s 110Kb).
XHProf by Facebook Inc (available via PECL)
Large amount of information provided and allows you to “drill down” by various sections – allows comparison of “diffs” between runs to check performance enhancements. Needs modification of the server’s PHP file to run. Also compatible with the *Grind systems. Used by Facebook and Manga High’s online maths games website, but only currently runs on Linux/FreeBSD. Seems to be preferred by iBuildings (see Profiling with XHProf) which is how I originally heard about it.
PHP Quick Profiler (PQP) by Particle tree
Needs modifications to your PHP code, but does not need the server’s PHP modifying (so it can be used on shared hosting easily). Nice and bright. Used by ParticleTree on their Wufoo product.

Snippet: Predicted Caffeine Intake

December 21st, 2009 by Richy B. No comments »

Today I’m probably going to be consuming:

  • 2x Mars Mochachino Hazlenut coffees (caffeine value unknown – one already drunk)
  • 1x Mana Health Potion (160milligrams of caffeine)
  • 1x Bawls G33k B33r (64milligrams of caffeine
  • 1x Cherry Lucozade (46milligrams of caffeine)

  • At least 1 cup of tea
  • Total: At least 270milligrams

Why? Well, just to try and keep me awake and warm. According to my other half 10grams of caffeine is lethal: so I’ll have less than a twentieth of a lethal dose (just 0.27grams).

Giggity-giggity watch me turn to goo ;)

gamy-dance
%d bloggers like this: