+1 for Tim too.
Ah. I was only curious because the constant blanking/redrawing makes me want to hide the app in the background.
It’d be neat if it scrolled data away as it came in, but I’d think that’s a back-burner feature request.
[quote=91974:@Matthew Combatti]HackMyApp was designed to help Xojo developers realize exactly what they are handing over to the public, before it is too late. When using MBS Plugins or a number of serial-based development plugins and tools, a developer inserts a serial number directly into the Xojo code editor, and rarely thinks of the consequences. Without first encrypting the serial number, and using a decode method in place of the actual serial, you are freely giving away your licensed embedded serials to anyone willing to search for them. In turn, you are stealing money from MonkeyBreadSoftware, risking your license getting terminated, and losing money yourself. HackMyApp will reveal any such security issues, so that you may go back and fix them before distributing your finalized software.
[/quote]
If it were my serial number activated plugin, and you were giving out an app like HackMyApp which makes harvesting my serials this easy, you’d be getting a call from my attorney tomorrow. Not cool at all. Serial number systems are usually designed to balance protection and convenience. Your app effectively throws that balance way off for things you target.
Generally, before claiming that you’re “helping” someone, you might ask them if they want your brand of help first rather than telling everyone what a great guy you are for looking out for them.
#ReallyBadIdeaHere
This app is to help developers see how weak their protection is. I fully appreciate the Matthew’s efforts. It also throws red flags for you if your serial numbers are easily findable so you can find and further hide them. Obfuscating the sensitive data is the developers job, it’s fully their responsibility. Not a lawyer, but you and your attorney would have no case against Matthew, but you could certainly sue your users for not obfuscating their serials.
“Security” by obscurity always fails once someone finds your data.
Also, http://hopperapp.com
I like the concept. But you should avoid exposing the contents.
Just say “Product X detected. Serial number successfully decoded.” and things like that.
[quote=92041:@Tim Parnell]“Security” by obscurity always fails once someone finds your data.
[/quote]
You completely miss the point of most serial number based security systems. Great work. And yes, I would be all all over him, his ISP, his hosting company, etc. if he pulled this crap on me. I certainly hope that “XojoDevSpot” doesn’t constitute an endorsement from the registered trademark owner of Xojo.
Matthew, you are obviously a very talented developer, but man, you are going to run into the wrong, bigger a-hole soon enough on your path, and it won’t be pretty at all for you. If you can’t see how someone might go ballistic over this (or the XojoDevSpot thing, geez), you need to find yourself someone who can anticipate this stuff and check you.
You’re still targeting the wrong person. He’s made a useful tool to help developers. But you’re saying that he is the problem, when the problem is your users who haven’t done their due diligence to not spread their serial number.
But yes, let’s bury and destroy a useful tool so you don’t have to confront your users.
You don’t go after the hammer-maker if someone uses one to break your windows.
Who broke my windows??
[quote=92051:@Tim Parnell]You’re still targeting the wrong person. He’s made a useful tool to help developers. But you’re saying that he is the problem, when the problem is your users who haven’t done their due diligence to not spread their serial number.
[/quote]
You show complete misunderstanding of the psychology of serial number systems. But this isn’t my SN system that Matthew is buggering up. It’s Christian’s. I don’t know if Christian will be annoyed by this or not. Were it my SN system, there would be a giant can of whoop ass opened in the morning.
Except that this tool should reveal if a developer has followed Christian’s own advice on obfuscating the MBS serial number or not.
I, for one, welcome my new self-hacking overlord.
The tool is wonderful, should go on.
Exposing serials is illegal an can’t be allowed.
Now let’s tie a slice of bread with butter on a cat’s back and throw it on the air.
More related: Now that it’s done scanning and I’m scrolling through my results, I’ve got some UX notes.
- There’s a helptag on the listbox and it pops up and gets in the way on OSX. On OSX it only has the ? character in it from the windows new line, so maybe you haven’t seen it on windows? (can’t capture it in a screenshot, it’s floating above what screenshots grab apparently)
- Can’t de-select a row in the listbox.
He’s doing no such thing. Christian specifically asks developers to obfuscate the serial number he gives them. If they are not, I’d imagine he’d like to know. I know I would. I’d also like to know if my obfuscation is sufficient.
No, I think Brad’s right here. If I hack some big name software and tell them about the vulnerability, I don’t think they’re going to just thank me. They’ll fix the problem all right, after they jump all over my azz.
[quote=92052:@Kem Tekinay]You don’t go after the hammer-maker if someone uses one to break your windows.
[/quote]
Kem, if you put yourself in someone’s shows who is trying to offer a minimal level of “protection” to code he licenses without being a jerk about it, and this thing comes along purporting to help him by allowing any developer who downloads it to find a SN in another developer’s products, I think you would see my concern.
Christian can deal with this. For future reference, anyone pulls this crap with my products, gloves come off. If they do it and claim to be helping me, I will take pleasure in ruining them. For real.
This is a tool to “hack” your own software, preferably before release.
This tool is available to anyone by following the link, and can be applied to any software already released. Matthew admitted to doing that himself on some 20 titles.