Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I'm trying to get an idea of how often my software is being installed. I was thinking about just including a simple URL call in the background the very first time the software is started. I am not trying to gather a lot of information. I really just want to get the date and time the software was installed. Is this unethical or commonly done by other developers?
You could always just have the installer open up a "Thank you for installing our product" page that's hosted on your web server. Since this page would normally only be hit after an install it should give you a decent indicator without being evil.
P.s. Before anyone hounds me on this please note that Firefox does this directly after an install.
In my opinion, yes, sending any data back that isn't authorized is unethical. Most software will prompt you to ask if it's OK to send back anonymous usage data. You could also track downloads and guestimate how many of them are actually installed.
There are a number of software products that gather data from the user but they all get the user's consent before sending any information. I suggest you do the following:
Ask the users to register, this way you will know some basic information like (roughly) when the software was installed.
If you need more complex/interesting usage statistics then make this a feature that users can easily turn off. Some people are not comfortable sending any data to you, Eclipse does this very well, the first time it wants to gather some usage statistics it allows the user to turn off the feature right away.
Finally , which ever way you implement this feature ensure that the users can see exactly what data you are collecting and sending and can choose to not do so.
If you do this in this correctly way you will gather some data in a way that does annoy your users or intrude on their privacy.
Just popup before installation:
"If you click Yes, the date and time the software was installed will be sent to us via your Internet connection. We would appreciate it a lot."
Let "Yes" be the default option and avoid the popup if there is no Internet connection available.
Doing it behind the scenes is unethical in my opinion.
you will always have to ask before calling home with anything, no matter how harmless you think it is.
kind of like you should always ask permission before putting a shortcut on a desktop.
If you want to do that — ask user permission.
Some companies just have automatic check for updates feature.
Only do this if your application uses the network as a primary function, otherwise a user will get weirded out by their standalone application asking to get internet access through their firewall.
Also: If you add in-line updates to your software, or ask to check for software updates periodically, you can easily log this information.
this is kind of tricky, if u are getting the information about the software only; without identifying the user, perhaps it might be passed as alright.
just think of google, i know it never gets installed on your system, but chrome again is a google product, which i believe probes ur google searches to give relevant advertisements. what is reading a cookie, is it any different from reading information from your computer.
also i have seen relevant advertising poping up in yahoo mail when i search for shopping stuff on google. they for sure are reading some info on your computer or browser session.
I think its ok to send the info from software, as long as u have no way to identify from what user it is coming from.
I don't see any particular areas of unethical or illegality except for this: My software, my computer, none of your business if I want to install it or just have it sitting in an installer.
Although I think a convincing argument could be made that it literally is your business to know about your software's installs.
Best route is simply to request to send 'anonymous usage information'.
How many of you windows users tell windows its OK to phone home and verify that your copy is genuine?
0.
There are a lot of high and mighty my-computer-is-my-domain answers here, and the bottom line is while its rude, its not against the law. Rather, its commonplace. Stick a disclosure in the EULA and you're good to go.
It is unethical to hide your collection of usage statistics.
That said, almost every website has a TON of personally identifiable information in the form of web logs that are almost never used to their "fullest potential for evil"
To ethically collect your install count just ask the users to activate the product on first usage or ....
Provide something useful! Prompt the user to check for updates on first use.
This approach IS ethical, can get you better and more relevant data (you can put voluntary forms together) and allows you to make a value exchange.
I think the circumstances also play a part.
If the app is a free app and the developers find that knowing each time an app is installed then as long as the user is told then most users wouldn't have an issue with that.
If the app contains sensitivie data (i.e. financial or credentials) and you notice the app calling home then that would freak most users out and wonder what else is being sent.
Also another point is having it call home each time the app is installed doesn't really tell the developers much, what if a user reinstalls the app or the operating system? What if the call home is denied by security software or their computer isn't even connected?
In my opinion if you can't collect meaningful useful stats then is it really worth collecting them to analyze them?
It’s unethical.
In the case the URL is opened in the default browser: A user might have explictly set beforehand that your tool should not be allowed to connect to the Internet. If your tool just calls the browser, you are circumventing this.
In some countries, users may face oppression or punishment for using specific tools. While they might manage to get the tool via sneakernet, your phoning home would be detectable by authorities.
You might lose/change your domain. If Malice registers it, she’ll have access to the incoming data from installations of your tool.
When your software wants to phone home, inform your users beforehand and allow them to cancel it.
Related
I am working on building a system that can monitor how users react to security alerts on their systems (software updates, warnings etc.). It also needs to monitor the web traffic and the processes running on the system and I am looking to the community to help me design this system. We intend to provide users with test laptops and monitor their behavior over a period of time to see how they react to security alerts thrown by various applications and the OS(windows in this case).
Following are my questions
Can I use windows hooks to solve the first problem i.e finding how users reacted to the alerts thrown by various applications. Specifically, can global hooks be used to solve this?
(How this information should be collected (XML?) and relayed back to a server(how frequently?) is another problem)
Can I do this in C# or it has to be done only in c++ or VB?
Do you know any alternate approach to solve the problem? Is there any software that has these capabilities.
I have many more questions but getting these answered would be a good first step. Really hoping for some good insights from the knowledgeable people on this community
Thank you in advance
Edit:
Example scenario is when adobe prompts you to update the flash player or the antivirus prompts you to update definitions or any application displays a notification(security related having keywords like update, warning, install etc.) needing the user to take some action. Windows system updates is another example. I want to know how the user reacted to these alerts/notifications/updates (which are typically a pop-up window). So i was wondering if i placed a global hook that can monitor the content of the windows displayed on screen and notify me(server) when certain words like update, alert, warning etc. appear in the content/title of the windows and what the user did with the message(dismissed it, Oked it etc). Unfortunately, i do not have any more specifications than this. I can use anything I want to achieve this and I am not clear on what my choices are.
Edit 2:
After having reviewed my requirements and having read about hooks, I feel like I could achieve this by a combination of hooks and the following textGrab SDK, http://www.renovation-software.com/en/text-grab-sdk/textgrab-sdk.html. I want some guidance to know if I am on the right track. I am thinking if I can install hooks then it gives me handles to all possible windows on the screen and I can use the textGRAB SDK to look for certain keywords in those windows. Although this may capture some interesting text, I am still not sure how I will know what action the user had taken on the window. Anybody having any experience with either hooks or textGRAB, please let me know if this looks like a reasonable thing to do. If the community has some other Ideas on how I could possibly monitor security related messages thrown by any application in the system, please suggest. I am looking forward to some useful advice for completing a challenging project.
First of all, you need to define, how you will "see" security alerts in code. "Security alert" is quite a vague term. Will it be some window with some caption and some message to the user or ... ?
Next, about web and processes: Windows hooks won't help you with your task. They are more low-level and not as advanced as you'd need. You can't hook network traffic (you need either network filter driver for pre-Vista or Microsoft Filtering Platform for Vista and later). See this question for some information about checking the process list with C# (there seems to be no easy way to catch process startup either).
It honestly sounds like you need a more solid direction. I commend you for trying to provide details, but It appears that you still need more information about your problem(s)..
I will attempt to answer some of your questions, but like I said - it sounds like you need to know more about your problems before we can provide you with optimal answer(s).
-Alerts is too vague a term, you will need to define this better. Are these 'alerts' applications that YOU have control over or are they third party applications? Not every application will show an 'Alert' in the same fashion, and even if they did - I think using a System Level Hook would probably be too problematic to implement your solution with. I'm not saying it's necessarily impossible, but you're talking about possibly implementing a different set of logic(to determine the data for a given application's Alert(s)) for each application that you want to monitor.
-It's impossible for any of us to determine the optimal storage mechanism for your particular needs, that is something that you will either need to provide more details about or decide on your own.
-How often you collect data is also something that you will have to either provide more details for or decide for on your own.
-C/C++ Would probably provide you with the most portable solution, although there is nothing preventing you from using c# to call Win32 API. (Not everyone has the .NET framework installed - believe it or not)
-The problem that you mentioned appears to be a somewhat specialized problem... I don't know of any existing software that will do everything that you want to do.
Another possible issue that you haven't touched on:
You haven't specified your target audience for this 'service', but I want you to know that if I found an application monitoring as many events as what you're talking about doing, I would promptly remove it and write a nasty letter to the company that wrote it.
In summary, Read this Article on hooks to get a better understanding of how they work.
I know blocking a website is a popular question but none of the answers I've seen address my particular situation:
I want to block a website (to be selected by the user, which must also have Admin rights, on Windows XP), without forcing her to restart her browser.
The well known technique of modifying the hosts file requires some browsers to be restarted. I want to accomplish that in a way that is browser-independent (e.g. Content Advisor works in IE but not in FF) and which doesn't require the user to restart his browser.
Please note that I am interested in knowing how to do this programmatically, so http://superuser.com or http://serverfault.com aren't really the right places for this question, as they mostly suggest tools and services, while I am interested in the underlying knowledge so that I can implement it myself.
Ideas?
Thanks.
Please note that I am interested in
knowing how to do this
programmatically, so
http://superuser.com or
http://serverfault.com aren't really
the right places for this question, as
they mostly suggest tools and
services, while I am interested in the
underlying knowledge so that I can
implement it myself.
Such tools would filter traffic by implementing a NDIS Intermediate Driver. See also this other question.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Applications often have registration keys.
It can arguably be placed in a file or in the registry.
Sometimes, an application is deactivated by entry of another key,
or the passing of a date, etc. Where can one safely
store such information about an application be deactivated?
A file isn't the answer; a backup copy can be restored to
defeat this. The registry is a weak answer, only because
most people don't know its there, and don't think to restore it,
and if they do they restore the whole thing which usually
has other discouraging side effects.
It seems to me that storing deactivation information is
hopelessly unsafe, as old copies can always be restored.
At best one can hide this data by obfuscation under
cryptically named files or registry keys.
Is there a standard trick I don't know, or a standard
scheme supported by Windows, that helps with this problem?
Round 2: I've seen a number of answers. None of them
specifically say "you can't do this" but several imply
that phoning home is the only good choice (for "deactivation").
Let's assume phoning home and dongles are NOT the answer,
and one has to leave something on the machine. What do
typical licensing schemes actually do in this case?
In contrast to the IPhone and other closed environments on an open platform like windows/linux you always run a very high risk that the protection is easily circumventable (local serial protection) or will be cracked by reversing and patching your code. Virtually every modern single player game has this problem. Additionally it is very hard to find a solution that does not annoy the user too much. We all remember the Sony-CD-Rootkit disaster and in the game industry its the always the newest DVD-protection that doesn't work on all drives the way its supposed to. But what can you do? You can try the usual serial, call-home option and ban certain serials in newer updates (Adobe, FlashFXP, Windows). If you have a very low consumer base, this probably is enough for you. If - for whatever reason - that is not an option, what about an USB-Dongle that is needed to use your software. Heard of quite some CAD-programs using this. One last thing you can look into, what about watermarking your application? If it shows up on certain p2p networks you will maybe be able to see where the leak is. Basically nothing will give you a 100% guarantee, but there are options to make it more difficult for the average user... Please keep in mind that most of your money should be spend on creating a great product not in buying mostly useless protection!
Create and sign a license file on a server. If you use public key cryptography, the license file can't be faked easily. Your application can be of course cracked to not need the license, but that's a different thing.
Here is a short but pretty good overview of different options.
http://www.developer-resource.com/how-to-protect-software.htm
Ya,you could encrypt things,that's what they do!.Check the net for various licensing schemes.Even microsoft has one...Microsoft Software Licensing and Protection
You can use the Microsoft Cryptographic API to develop you code.Plus obscure you assemblies or dlls.Force user activation.
All protection schemes are vulnerable to some type of attack. Encryption of information does help prevent attacks because the information is stored in an obfuscated way, but even this isn't unbreakable.
Another possible option is to store the actual activation state information remotely and leave a reference to this information on the machine, possibly encrypted. There are many ways to do this but one that comes to mind is to store a GUID of some kind that you could then look up in your database
One downfall of this is the requirement of an internet connection, I don't know if that is prohibitive or not but the general idea is to remove the activation state from a machine you don't control and put it on one that you do
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am thinking of implementing a good licensing mechanism that has a good resistance against piracy. The required mechanism should not use an internet connection at each and every time the software is used. I am thinking of a mechanism based on hardware IDs etc. Do you guys have any better suggestions? What are the parameters/algorithms/characteristics that I need to concern to make a hack proof license mechanism?
Ideally you need something that is OS independent.
I would recommend that you embed the license protection within your code or wrap your application within it in such a way that it cannot be run without the copy protection code having run first.
It would be best if your application needs a license key file in order to operate and that this isn't generated locally.
One way of doing this is that your application generates some form of image code based upon the hardware on it's initial run. This is supplied to you and in return you supply the license key which will allow the code to run. Best to base the hardware image around CPU and motherboard as these will change the least often.
Your app. should check against hardware image and license key whenever it is run.
If you want your app. license time limited then it should also keep track of how long it has run and embed it within the license key file.
Don't forget to encrypt the license file.
Also don't forget to make it more difficult to reverse compile your executable by use of a dotfuscator or similar.
Check this question: What copy protection technique do you use?
It also links to other related questions.
First of all, nothing is hackproof, so i wouldn't spend too much time on protecting your software.
The downside of a mechanism based on hardware IDs is when a user buys a new computer or upgrades most of his computer he needs to update the key too.
HWHash is a pretty good HardwareID implementation, but i guess there are more (free) solutions.
At work we use Hardlock and Hasp keys, but these are usbkey solutions which are not very efficient for small applications.
I am thinking of implementing a good licensing mechanism that has a good resistance against piracy. The required mechanism should not use an internet connection at each and every time the software is used.
Then how about a periodic online check of the licence?
When the user logs in the first time, the user verifies the install against his account and a licence file is stored on the users PC. This licence file is encrypted and contains all the data needed to uniquely identify the license. This is all stored on your server.
The licence file expires in set number of days or even months. Logging in after the file expires checks against the account and verifies its legitimacy. You might even consider generating a new licence file at this time.
There should be some smarts that give some leeway in the case that the users internet is down and the licence cannot be registered. Perhaps 7 days.
If the software is reinstalled on a new computer the user has to repeat the verification process.
As the others have stated there is no way to beat a determined pirate, since such a person will hack the code, but this should prevent or slow down casual piracy.
You can check out Microsoft's SLP - I haven't used it, but it definitely looks interesting (yknow, IF you're into MS stuff...)
One important point to note - no licensing mechanism will protect you from piracy, or even substantially reduce it. By definition, the licensing mechanism will be client-side - which is inherently breakable. Take a look at all what happened with DRM...
Your guideline should therefore be usability - the intent should be to use it as a general policy, the good guys will be comfortably limited to what they're supposed to be allowed to do, and the bad guys - well, the bad guys will get around your intent anyway, your best hope is to make it more work.
I'd be very wary of published software protection mechanisms, as they are much more likely to have published hacks. You are probably better off using some of the techniques to get a unique persistent ID and use this to roll your own protection mechanism. I also think that it is a poor idea to simple check the license whenever you run the program, as this leads the hacker to the location of your proection mechanism. IMO, your are better checking the license in a more random fashion, and more than once per session.
FWIW, I use hardware locks (hasp) for my high end desktop software, and device ID based licensing on mobile solutions. If you are selling small quantities of high cost software in a vertical market, IMHO, a good license protection mechanism makes sense, and hardware dongles work well. My experience has been that people will use more licenses than they purchase if this is not in place. For high volume, low cost software, I'd tend to live with the piracy based on increasing the size of the user base and product visibility.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
My boss tasked me with finding a sort of system for a customer to be able to log into a website and view their website as a work in progress (so employees would obviously have to be able to upload their work). All communication would be handled through this website.
It sounds like a forum, but customers would not be able to see each others' projects. It's private and the only people who could see all customer projects are employees.
I'm sure I could implement it using a forum and some visibility options, but I was just wondering if anyone knew of any systems similar to this.
Something like Basecamp would work - set up a Basecamp project for each customer/project and only give customers access to the appropriate projects, while your employees could have access to all.
Sharepoint is always on option if you are on the Windows platform. Also might want to look into Mingle. I haven't used it in a couple version, but it showed real promise.
Most of the people I see that sub out a website don't get to view the actual website themselves live on the Internet - because just simply its to easy to copy down the underlying HTML (unless of course much of it is server side scripts, but that's another store). Most of the time they just get screen shots (and perhaps user testing on the developers machine) until most of the money has changed hands.
Why not put up a bulletin board (like phpBB, but not necessarily phpBB) and segregate what each client can see. Then you can post screen shots in each customer's area and let them comment and discuss?
We have a Forum-style section at the bottom of the page (on our DEV sites) where people can add a Comment. The ideas is that a Tester, finding an issue, will check the Comments at the bottom of the page before adding a new (possibly duplicate) Comment.
We allow Assignment of the issues, internally, and then Assigning it back to the Author for Approval, once it is fixed.
Additionally testers mark the page as "Operational" or "Broken". We have a report of pages not-yet--reviewed - so testers can make sure they have achieved 100% coverage.
We have routines that will reset all pages to "Test required" (ready for another round of testing), optionally leaving pages marked as "Broken" at that status, or resetting everything to "Testing required".
We tend to use sub domains for this - so TEST.MyDomain.COM - and have the ROBOTS.TXT set to disallow all search engine spidering - so only those in the-know will find the site. (I suppose you could be more paranoid, and require password-access, but our clients are about to launch the site and not paranoid about outsiders seeing it - indeed, they often ask Customers etc. to have-a-look)
Having said that we do have a "Known user login" which proffers no specific admin powers, but does log any Comments to that specific user - always useful if we can't work out what the heck their Comment actually meant!