Fix your software so we don't go down when you do!

[*mad_professor*]

This is BS.

You really need to fix this issue. So when your servers go down, no one can use their software? I am really pissed about this.

Why can't you have some type of time out so if our TT Recast can't hit the server, it will still run for say 48 hours until it stops?

Really you should take this out completely. What happens if you go out of business? Your install base dies with you?

 

[cmaier]

Yeah, the 10 second grace period is pretty inexcusable. I wonder what other information the software "phones home" about.

 

[PhuckNut]

Yeah, the 10 second grace period is pretty inexcusable. I wonder what other information the software "phones home" about.

The other data that I see in the packat capture is in SSL/encrypted format. So its certainly something they do not want us to know about

 

[K4LK]

Again, copy protection that prevents a legitimate user from running software that they paid for really pisses me off! Unbelievable!

 

[dkieffer]

We certainly understand your concerns. We are working on the issue.

To address the concerns that have been raised, first, it is not fair to assume that because communications are encrypted using SSL that it is because there is a strategy to keep information 'from' our customers. Actually, quite the opposite (and I think you could say this about most uses of secure sites). For obvious security reasons, we don't want to specify exactly what is going back and forth, but it is part of a larger effort to fight piracy of our software. In the past we've had a pretty significant breach and because of the nature of our business we are an ongoing target.

The continuing registration verifications were implemented after the big security incident. It was part of a larger plan that involved lots of other changes to quickly regain control over unregistered versions that were out there.

Since then, we've realized that there are a lot of issues that this creates for our customers. We are working on the implementation of a registration process that we took care in designing that will address the specific concerns that have been raised (program shutting down if the connection is lost, the inability to use the software if our systems are down, etc.).

I'm not sure how to respond to the 'copy protection' e-mail because Recast as an application is available freely. The issues surround our choices on how we sell licenses to our software. As that process evolves, existing users should be able to use the software under their terms of understanding when they made their purchase and as a company we must communicate our licensing terms clearly and accurately so that consumers can make an educated decision about doing business with us.

Finally, I'd like to reassure everyone that there are provisions in place (poison pills in corporate speak) that make sure there are not any problems keeping your using your software and keeping Recast kicking well into the future even if Time Trax Technologies as a company would fold. There is of course no sign that anyone should be concerned about the ability for Time Trax to continue its business.

David K.
Time Trax

 

[PhuckNut]

We certainly understand your concerns. We are working on the issue.
To address the concerns that have been raised, first, it is not fair to assume that because communications are encrypted using SSL that it is because there is a strategy to keep information 'from' our customers. Actually, quite the opposite (and I think you could say this about most uses of secure sites). For obvious security reasons, we don't want to specify exactly what is going back and forth, but it is part of a larger effort to fight piracy of our software. In the past we've had a pretty significant breach and because of the nature of our business we are an ongoing target........

You're not hiding anything from us, but won't tell us what's in the stream. While you continue to reassure us its nothing to be worried about.

Thanks & Happy holidays.

 

[LVWolfman]

You're not hiding anything from us, but won't tell us what's in the stream. While you continue to reassure us its nothing to be worried about.

My guess would be that it is an encrypted challenge/response system. If a cracker doesn't know what the challenge key is and what the response is, it makes the software that much harder to crack.

This is just an educated guess however. I've spent NO time examining what the program is doing, just basing this one what you posted and what the answer was.

The way license keys are used in a program is usually encrypted as well. it's all part of the game for crackers/pirates and self-defense for publishers and authors.

At least they're using their own system. I purchased a retail package the other day that requires activation over the internet. Except that the activation server is down and the program won't work until it can phone home and use my activation number. The activation server has nothing to do with the publisher... it's part of a 3rd party company that charges a healthy fee (annual license, licenses per developer seat, royalties per demo copy AND royalties per registration) to the tune of $0.63 per copy for a $50 program if they distribute 50,000 copies a year.

 

[cmaier]

dkieffer,

your reply was a little vague. Ignoring how some future version of the software might work, can you assure us that the current version does not phone home with any information regarding listening habits or other personal data scraped from the system?

thanks.

 

[PhuckNut]

My guess would be that it is an encrypted challenge/response system. If a cracker doesn't know what the challenge key is and what the response is, it makes the software that much harder to crack.
This is just an educated guess however. I've spent NO time examining what the program is doing, just basing this one what you posted and what the answer was.

If they did not do the SSL stream last - I would agree with the above. However, a while ago, while testing something else on my network, I noticed this traffic and examined it deeper. Things happen before the SSL part that are NOT encrypted.

So - I am no longer worried about it. When you buy a product and use it, you accept whatever they are going to do, regardless how you feel. If you feel that strongly about it, you shouldn't own it or use it in the first place.

 

[src666]

What needs to be understood is that there is no perfect security. There is no "uncrackable" or "unhackable" protection. Can't be done. Look at what's on UseNet if you don't believe me.

I've been using computers since the late 70's, and writing software professionally since the early 80's. I can't begin to remember all the software and hardware locks I have seen come and go over the years. NONE of them worked. Many of them annoyed the customers enough to drive them away (Quicken 2003, anyone?). In fact, some were so annoying as to drive the customers to the cracks, just to get the convenience of an unencumbered system.

So, it comes down to the choice between a false sense of security and pissing off customers. Since the current customer base (when happy) is TimeTrax's best source of new customers, I would suggest that accepting some level of "shrinkage" is a reasonable trade for a happy customer base. Especially since you won't be preventing the hacks no matter how much you inconvenience us - if they want to crack your program, they will crack your program. Period.

 

[LVWolfman]

Yup. that's pretty much what I said earlier about companies finding a balance between protection and instrusion on the customer experience.

These folks have a good product. Forums like this are a great way to provide after the sale support. When I found this forum I felt a lot better. I've spent far too much money on software where the only contact I have with the company is pitches for more software or someone with a Pakistani accent if I have to call for support.

They'll get it right, I have faith in them.

In the mean time, I wish everyone here a very merry Christmas! (If you are offended, then silently substitute the best wishes greeting of your choice and go self-inflict a physically impossible act. )