Press "Enter" to skip to content

Tag: techy

Techy: How I investigated Counterpath Bria’s licensing issue

On Saturday the 12th of February 2010, myself and many other users of the popular Counterpath Bria VOIP Software started getting the message “The data received from the license server appears to be corrupted. Please try again and if the problem persists, contact Counterpath Support.”, but without any idea of what caused it. Many people contacted Counterpath’s support forums, but as of the time of posting the only official status we have is “It is being investigated”. However, I took it upon myself to try and figure out what had gone wrong and then if I could “work around” the issue.

I knew from the error message that Bria was trying to contact the licensing server to validate the license, so the first step was to investigate what was being transmitted. Luckily, I had the very handy Charles Proxy and after installing its CA Certificate (so Bria didn’t complain about an invalid certificate authority when retrieving the data via Charles), I could see the communicaitons.

Bria made a post to https://secure.counterpath.com/Service/LicensePool.sv/RegisterClientBinding with my license key, a hash of something on my machine, the type of product I’m checking the license for (Bria), the time my computer thinks it is, and identifying hashes of my machine (in particular, hard disk, motherboard and Mac address) – this data is sent to try and reduce “license sharing”. In return, Counterpath sent back the same information, including an expiration date and duration of the license (30 days), instructions to recheck the license after 24 hours and then every 4 hours (+/- 30%), confirmation the license if valid and then they signed the response using an X509 digital signature. Why have they signed it? Well, otherwise it would be reasonably simple for somebody of about my technical knowledge to be able to intercept the SSL stream and modify the data to always have approved licences (and, no, I’m not going to say how I would do this – but I can think of 2 ways straight way).

As all the other data looked correct (Counterpath used descriptive XML tags which did really help in this process: although since it’s just communicating between their servers and their products, I would have personally obfuscation it just for a little more ‘security’: yes, I know “security by obfuscation” isn’t good security practice, but sometimes “every little helps”), I then investigated the X509 certificate. I copied and pasted it into a new text document, called it “x509.crt” and just let Windows’ certificate explorer show be the details – and it was immediately obvious what the fault was. The expiration date on the certificate was dated 2 days ago.

So about 5-10 minutes of investigation and I knew to roll back my computer clock to pre 12th February 2010. Run Bria to get it to reacquire a new license and viola everything working (well, hopefully for 24 hours until the license starts revalidating). I just wish Counterpath had actually provided the “roll back your clock” workaround on their forum: Bria is an excellent product and I’m just disappointed that because somebody dropped the ball and forgot to renew a 2 year old X509 certificate (which would be easily done as that length of time people would have left and the details would have just been forgotten to be passed on), their reputation and good product range may be tainted. I’m guilty myself of letting the SSL certificate on my online dance wear site expire for a couple of days (mainly because the certificate provider wouldn’t let me renew the certificate until after it had expired!) so I know how easily it can be done – I now have a 3 year certificate so it might again happen to me in 3 years time.

What has this taught us: If you use a secure certificate (for your website or code), keep a note of the date it is due to expire and set reminders. Your certificate provider might send you emails to remind you – but don’t rely on them. Communicate with your customers and if a problem could take more than a couple of hours to fix, propose a workaround (such as rolling back your computer’s clock) – they might not like it, but at least you are doing “something”. And signing license files with your own digital signature is a good idea (yep, I bet you weren’t expecting that!) as it stops people easily bypassing it – but just remember to keep your digital signature up to date!

[n.b. might just be worth mentioning that I investigated this all on my own – Counterpath or any third party did not ask me to investigate it. However, within an hour of me posting on their forums with the information I had found, the problem was fixed. Coincidence or were they already waiting for the new certificate to be approved/installed? I don’t know, but I like to speculate 😉 )

Techy: Token Authentication instead of passwords

I’ve been spending quite a bit of time recently creating a login system (coping with OpenID, Facebook Connect and Microsoft LiveID/Passport) and, of course, the “common and/or garden” email address and password system.

Whilst we do deal with credit card and payment details on the system, it doesn’t need to be “that secure” relating to user authentication (hence we haven’t need to consider proper two-factor logins: where you login with one password and then need to login again using something else). However, recently security snafus (such as the WebHostingTalk database exploit) is making me think that perhaps we should consider offering an alternative to the standard password system.

There are a hardware one-time password tokens out there such as MyPW (which is very similar in looks to the token used by HSBC Bank) and YubiKey (as used by Tom at Nominet) along with Verisign’s VIP Authentication system for iPhones: however, all these OTP (One Time Passwords) systems are designed to be used in conjunction with an existing username and password (i.e. two-factor logins): but has anyone actually implemented a login system which uses the OTP as the SOLE password?

Any pluses/minuses or thoughts about it? Even if you haven’t implemented it, but just think it’s a good or bad idea – please let me know!

Techy: 10 Absolute Nos! For Freelancers

Wake Up Later has a list of 10 Absolute “Nos!” for Freelances which include (with my comments):

  1. Can you show me a mock-up to help us choose a designer/developer?
    When I worked for a web hosting company, we did waste a lot of time doing web site designs for people as “mock ups” and a few times we did see the ideas “recycled” in their finished design even though they hadn’t paid us. The percentage of “mock ups to completed projects” was quite low as well – meaning wasted time. Oh – and the number of people that said “I don’t like that mock up, can you do another”… Grrr… On the plus side, I’ve just realised that an insurance company that I wrote the billing system for nearly a year ago whilst at my previous employer is still in use, despite the pet insurance company having very little (if anything) to do with my previous employer now. Go me!
  2. Can you give us a discount rate?
    Am I the only person in the world that thinks “The price you see is the price you pay”? You don’t expect Tescos or Sainsburys to “haggle” the price of your food do you? Well, don’t expect web designers, programmers, hosting companies etc to do the same!
  3. Will you register and host my site?
    I slightly disagree with this one – the designer will be able to register the domain name and host it with a third party: but as long as they make it totally clear they are just performing the “payment side” of things and the client needs to contact the appropriate company if there is any “non-design/code” issues then it should be ok.
  4. Can you copy this site?
    Straight coping is a “no-no”, but trying to get a “similar look” to a site isn’t too bad. I.e. if you are doing a shopping cart: do you like the look of Amazon, Tesco, Play will help speed the design work along.
  5. Can I pay for my e-commerce site from my website sales?
    A big no from me here as well! If the designer/freelancer says to the customer “I’ll do it cheaper if you’ll split the sales” that means the designer/freelancer thinks the customer has a very good ideas. However, if the customers asks for it – then the customer must think it’s not such a good idea and hence doesn’t really want to risk their money.
  6. I have a great idea. Do you want to…?
    To me, this’ll depend on the circumstances. If they came to me (as a programmer) and said they’d like to partner for me and they can supply the design and backend content, and I’ve got to figure out how to get the content online and handle the promotion of it – then I may do. However, if it’s a case of “I want a shop to sell books via Amazon. I can design the site, can you do the back end…” then IMHO they won’t be contributing that much to the project. If they added their own book reviews then that’s another kettle of fish.
  7. Do you have an IM account?
    I’ve practically given up on IM clients (such as Yahoo, AOL, MSN Messenger and ICQ) mainly because of the Spam (Yahoo especially) and the fact that when I am logged in I’m not always available to chat (away from the machine) or I’m busy working on something. I tend to have my PC on a “always ready” state (i.e. text edit, browsers etc already loaded and positioned) so opening and closing Trillian (which I used to use to log me into all the different networks) will be an extra thing to remember…
  8. Can I just pay the whole amount when it’s done?
  9. Is there any way you could get this done tonight or this weekend?
  10. Can I be sure you won’t use this work in anything else?
    I tend to do the same as Samuel (the other of the original post) in that “(1) their code has utilized code from other projects which I haven’t charged them for, and (2) I will probably use code from their project on other projects, and (3) they own the code and implementation of the project (finished website), but not the actual code pieces (login system, image uploader, etc.). I pride myself in productivity and speed, and I need to use other code all the time to accomplish this.”. However, in most circumstances I do “copy my own code” but in a slightly different manner – so the “jist” of the code may be the same, it’ll be slightly different for each implmentation.