Top
Browse > Home / Archive: January 2008

Honest Software Security, or Highway Robbery?

January 31, 2008 by mike · 1 Comment 

There is a secretive battle being waged for control of the software on your desktop, and unless you’re working in software configuration or a Micro ISV, you probably aren’t even aware of it.

The battle is over code signing, and how software developers are held ransom by the code signing certification authorities (one in particular, see if you can figure out which!), to purchase expensive certificates, and in the case of developing a “Certified For Windows” application, with no real technical need at all!

What is Code Signing?

Code signing is a process which allows software publishers to use a certificate in order to “stamp” or sign code (usually program installers). This process imprints the publisher’s details onto the file so that when users use the file they can decide whether to trust the publisher and allow the content to run, or not.

image

When a publisher signs code, it is like applying a seal to it. It proves that the code hasn’t been tampered with, it shows who the code comes from, and only those with the correct signet ring or stamp can make the stamp.

Why use Code Signing?

The internet has made anyone with the right tools and aptitude into a potential software publisher. This means that a lot more hackers, script kiddies and novices can put their own “free” malware openly on the internet. People can release software, pretending it comes from someone else - or worse still, damage a company’s reputation by releasing fake spoofed software.

Users now have a way to determine if the software they have is trustworthy. The code signing “stamp” on the file is also broken if the file is modified without the publisher’s permission. By using only code signed installers, you know that the file is genuine and from whom it purports to be.

Although the use of certificates in computer security has been around for over a decade, Microsoft has created its own Code Signing technology, dubbed “Authenticode”. In order for a publisher to get on board with “Authenticode” to sign their software, they must purchase an “Authenticode” type certificate from one of Microsoft’s trusted partners.

The way certification authorities work is that Microsoft explicitly trusts a small group of privately-owned companies to only issue certificates to companies which have paid for and passed the security checks (usually checking business address, registration, contact details, etc). In this way, by signing your code with a certificate that has been obtained from one of Microsoft’s trusted group of partner companies - Microsoft Windows will acknowledge your certificate as potentially trusted and ask the user if they always want to install your software, never install, or to ask each time software from this publisher is run. For example:

The user can then click the link of the publisher to view pre-defined information about the publisher from the certificate.

If the unfortunate publisher could not or did not sign their file, you would see messages like the following:

The problem… The Microsoft “Certified For” Testing Racket

Creating your own certificates can be done by anyone - in seconds. Your own certificate containing a public/private key pair can be created by yourself in order to authenticate secure email, or used with PGP (Pretty Good Privacy) for file encryption.

The issue is that your own DIY certificate stamp isn’t sufficient. You need to be checked out first by one of Microsoft’s partners to see if they think you warrant a certificate (of course they will, they want your money after all). The CA’s provide a vetting service, checking the identification documents of whichever organisation wishes to obtain a certificate issued by a Trusted Authority. Microsoft calls these organisations, “Trusted Root Certification Authorities”, meaning that any certificate they issue is trusted (and hence, not hand made by Mr. Hacker).

Certificates can be purchased from any one of the companies on Microsoft’s “Trusted Root Certification Authorities” list:

image

The trouble is, getting one of these companies to make a certificate for you can be time consuming, and expensive.

My company is a proud Microsoft Partner. But there are things Microsoft do that are simply unethical. For example, preventing the certification of your software unless you hand over a bulk of unnecessary cash to the Verisign corporation. An Authenticode certificate from any of the other providers, (Thawte, Comodo, etc) simply won’t work - it has to be from Verisign. This is for business and not technical reasons. Anti Trust, anyone?

For example - compare the prices of an Authenticode certificate from these two providers:

  • Verisign: $499 / year (with discounts on multiple years to $431/year for a three year term) - standard code signing certificate

  • Comodo: $179 / year (with discounts on multi-year purchases).

What’s the difference? None. Except, you won’t be allowed onto the Microsoft “Certified For Windows” testing scheme until you’ve paid for the most expensive certificate. Even if your software doesn’t use it. I know… I’ve had to purchase both. Verisign took 3 weeks to process our certificate, they wanted to check all manner of business utility bills, phone numbers, test our fax machine and email before they would issue a certificate. Comodo issued a certificate immediately without any checks whatsoever. Comodo were also 3 weeks late in sending us our VAT invoice as apparently the support team was in hospital in January (talk about crazy excuses for a 250 person business!). Both vendors take immediate payment, however. Nice to see medium and large sized tech businesses screwing the smaller ones on price & service…

As a proud vendor of quality software, I of course want to put everything we make through the most rigorous testing procedures possible in the industry. Since we develop software for Microsoft Windows and Server platforms, it makes sense that our software is certified for use on the platforms for which it was designed.

In order for any vendor to test their software to Microsoft standards, it must be handed over to a third party testing organisation (e.g. Lionbridge) to be tested. It must also be code signed with a special code signing certificate, that has to be purchased from Verisign. We had been using our own in house code signing certificates up till this point. Needless to say, Verisign is the most expensive code signing provider in the market.

Also, since Microsoft released Windows Vista the fearsome warning messages about unsigned code have become even more prominent. These messages “warn” users about unsigned code. Some platforms may be configured to not allow any untrusted/unsigned code to execute. Any professional software development house will have its own certificate to sign its files or risk dealing with unnecessarily confused users, potential damage to business reputation, and lost downloads & sales.

What about customers?

There are benefits to using signed software. Obviously if Bob from next door wrote some software for you, it’s unlikely to be professionally code signed. However, you can probably trust Bob. If you download and install some software that purports to be from “Microsoft Corporation”, but on clicking the publisher link (see pictures above) you see that the certificate wasn’t issued by a trusted provider (Vista provides suitable red warnings for this), then it is obvious that the certificate is a spoof.

What do I suggest?

If you’re a software developer: Pay Comodo for a code signing certificate, but try to find an affiliate that provides them cheaper than the list price. They are out there - drop me a comment if you want a link to my preferred affiliate’s store. When and if you go for “Certified” testing, contact Microsoft and tell them what you think about having to purchase another certificate from Verisign.

If you’re a consumer/computer user: Because something is signed, does not mean that it is not dangerous. If software is signed, it doesn’t mean that the software is safe, tested, or anything like that. It may not even be a guarantee that the software is from who it says it’s from. Trust no-one, and only obtain your software from legitimate sources (not BitTorrent or P2P filesharing).

What needs to happen?

Either increased competition between the trusted root certification authorities or Microsoft needs to acknowledge that a freely available / cheap trusted code signer be made available for entry level Micro ISV’s. Certainly the security checks offered by the root certification authorities need to be policed. Comodo sent out our certificate moments after purchase, presumably without making any checks. Verisign took three weeks. I am not sure what Verisign were actually doing during this time. Your mileage with certification authorities may vary.

Code Signing isn’t the only segment Microsoft have wrapped up. They’re into SSL, Client Authentication, and Secure Email. You need certificates for all of these - with SSL certificates at around $1,000 per year (from Comodo for multi sub-domains) is it any wonder more and more hosting providers are moving away from Windows to cheaper Linux based hosting solutions and charging more for use of their SSL certificates?

This is not a free market with open competition.

What do you think? Let me know, drop me a comment!

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
Filed Under: Technical Articles
Tagged: , , , , , ,

Lessons in e-commerce: Installing Zen Cart Part 1

January 25, 2008 by mike · 1 Comment 

I’ve wanted my own online storefront for quite some time now. Plimus pages work well, but resellers remove billing and product control from the vendor and charge exorbitant fees to do so, but they have some powerful options such as license key generation and detailed reporting. A PayPal button is cheaper, but isn’t integrated and you need to do your own invoicing. Google Checkout is incredibly cost effective but like PayPal isn’t integrated and being new, is less supported.

I wanted a solution to this dilemma - to be able to offer my customers a choice of products

I want to offer our customers a choice of products, the ability to purchase more than one product at a time, offer cross promotions and keep control of the sale, offering a choice of checkout methods (passing the invoice/total amount due electronically to the payment processor for payment), but keeping the process clean and efficient. We have multiple products available, but not in an obvious online store on our website.

I knew I wanted a shopping cart. I either had to code one by hand from scratch, or use one of the open source solutions out there. There are literally hundreds to choose from, so which one? I was looking for a cart which offers easy management for cross promotions, discount coupons and track advertising conversion rates and calculate affiliate payments.

The daddy of the free open source shopping card is osCommerce. And this daddy has two children, "Zen Cart" and "CREloaded". Open source software suits me, as a software developer I know that I am on hand to investigate and fix any technical issues with the code. For non-technical readers looking for a business solution - I would highly recommend looking for a paid or hosted shopping site. Free open source software is not officially supported, and there is no support if you need help or if anything goes wrong.

Both CREloaded and Zen Cart contain all the features of osCommerce (and the default CREloaded template looks like osCommerce.

Both CREloaded and Zen Cart offer a management interface for setting up your online shop. CREloaded by default contains an affiliate tracking module so that you can pay affiliates for sales that they make through tracking a click from their site to yours. Both CREloaded and Zen Cart have free and paid-for modules for the advanced handling of affiliates, as well as plug-in modules for almost any online shopping feature imaginable. Zen Car and CREloaded are themselves "addons" for osCommerce.

Open source software is not officially supported, so it’s important that if I can’t resolve an issue directly, that I can turn to the community for support. A quick Google search on "CREloaded" returns 757,000 results, whereas "Zen Cart" returns almost double. Anecdotally, there appear to be more addon modules for Zen Cart than CREloaded, and more forum and newsgroup activity on Zen Cart than CREloaded. However, both are based on osCommerce and can do more or less the same functions and have the same system requirements (PHP 4.0, MySQL 3.5). You should go with the one that feels best for you.

The installation of ZenCart is as per any other PHP/MySQL application. First you need to set up your MySQL database and then provide suitable credentials during the installation process. Speaking of which, the installation process only requires that you upload files to your server and go to the URL of your store. No file permissions needed changing, (the default CHMOD 755 property on all files and folder applies). No files needed changing.

So far so good, more in part 2 :)

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
Filed Under: General
Tagged: , , ,

$4,000 prize if you can fix HTC’s TyTN II driver issue

January 22, 2008 by mike · 2 Comments 

If you read my review of the TyTN II, you might be forgiven for thinking the device is god’s gift to business people and professional mobile users everywhere. Unfortunately, a problem has been discovered in all of the newer HTC model range which appears to be caused by broken or mal-engineered device driver software on the devices. Such a problem is technically fixable by a software update.

The site HTCClassAction.org is offering a $4,000 bounty for anyone who can successfully fix the poor graphical software of the TyTN II.

The company, “High Tech Computers” (HTC), a Taiwanese Microsoft Partner who are market leaders for creating the most powerful handheld devices on the marker have been under fire lately from websites and blogs claiming that the manufacturer “neglected to include the necessary drivers needed for the devices to come to their full potential”.

The main complaints surround the poor graphical performance of the HTC TyTN II. Specifically, laggy web page scrolling, choppy 3D rendering in GPS software such as TomTom and the inbuilt camera.

The HTC TyTN II itself is an awesome device, with impressive overall specifications, including (as I reported earlier), a built in graphics chip using the Qualcomm MSM 7200 chip. However, for the hardware to work to its full potential, the software manufacturer (in this case, HTC) first needs to load the correct “drivers” onto the device to handle putting graphics onto your screen. This makes the HTC TyTN II feel, at times, unresponsive.

Ironically, older devices don’t have this problem - as one user demonstrates on a YouTube video:

You need to a flashplayer enabled browser to view this YouTube video
Magician (left) = old device with proper driver
TyTN II (right) brand new device with inadequate/broken drivers

Business users might not encounter such problems as the device is more than capable of checking email, and light web browsing. However graphical performance is compromised for games and the device doesn’t feel as responsive as it should do.

If you have a TyTN II, consider contacting HTC to let them know that you want updated drivers. Click here for more information.

Confirmed Affected Devices (list copied from HTCClassAction.org)

  • HTC TyTN II (MSM7200), also known as:

    • HTC Kaiser

    • T-Mobile MDA Vario III

    • AT&T Tilt

    • Vodafone v1615

  • HTC Touch Dual (MSM7200), also known as:

    • HTC Nike

  • HTC Touch Cruise (MSM7200), also known as:

    • HTC Polaris

  • HTC Wings (MSM7200), also known as:

    • HTC S730

  • HTC Titan (MSM7500), also known as:

    • Sprint Mogul PPC-6800

    • Verizon XV6800

  • HTC Vogue (MSM7500), also known as:

    • HTC Touch P3050 (this is not the normal HTC Touch)

    • Sprint Touch

    • Verizon Touch XV6900

  • HTC Libra (MSM7500), also known as:

    • HTC S720

  • HTC Iris (MSM7500), also known as:

    • HTC S640

Further Reading

Conclusion

If you’re after a PDA business phone, to check email, browse the internet, play a few ’simple’ games and use as a superfast 3G data modem for your laptop, or to play back wmv or .3gp movies - the TyTN II is still a very good choice. What needs to happen here is that HTC pick up the ball, and release a patch to fix the drivers for the QualComm chipset in the affected PDA’s. Within 12 months of the Apple iPhone launch, the iPhone Safari browser (although slower than a dialup modem) is already responsible for 1% of all web browsing, thanks in part to the sheer usability and strong hardware performance and strong driver support at Apple for their own device. Let’s hope that Microsoft see the problem and have a chat with their hardware partner!

I’m sure Steve Jobs is watching this hardware manufacturer integration fiasco and rubbing his hands with glee!

Is your device underperforming? Please let me know in the comments section.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
Filed Under: General, Technical Articles
Tagged: , , , , , , , ,

Next Page »

Bottom