views:

1869

answers:

23

We've developed a bespoke ASP.NET application for use on our customer's intranet. It appears they're unlikely to pay for it, so our boss would like us to introduce a time bomb.

[Edit:] Technical responses only please! Whether this is a good (or legal) idea is a question for CEOoverflow.com ;-)

All pages in the application inherit from a class called ApplicationBasePage and have consistent error handling, so I'm thinking that throwing an exception early in the lifecycle of ApplicationBasePage will be an easy way to make the application unusable. I'm open to other ideas you may have though.

My question is: how and where should we store the date on which the application will expire?

Some points to note:

  • The application is installed on a single server in the customer's offices.
  • Application data is held in a SQL Server 2005 database held on the same server. The database was designed by us and is not used for anything else.
  • The application is only accessible on their intranet: there is no access to the application over the Internet.
  • We currently have remote desktop access to their server, but would expect to lose that if things turn nasty.
  • The application is written in .NET 2.0.
  • Security is handled by FormsAuthentication.
  • We need to be able to turn the timebomb off or change the its trigger date easily (assume we still have remote desktop access to do this).
  • The server can normally access the Internet, but it would be best not to rely on this.
  • The timebomb will only lock users out: it won't destroy any data.
  • Unless it triggers, the customer must never be aware of the time bomb's existence.
  • Their IT guy will happily go poking around in the web.config or in the database. He's not a programmer but he's not afraid to change things "just to see what happens". Decompiling or reverse engineering the application would be beyond his capabilities.

For extra credit, how much do you think it's OK to rely on security through obscurity in this case?

[Edit:]

  • The application does a lot of business-critical date-dependent stuff, so we can be sure they won't change the clock on their server as this would make the application worse than useless.
+2  A: 

Does their web server have access to the internet? You may wish to utilise a web service to trigger the time bomb in addition to other methods, since the wily sysadmin may be willing to set the clock on the server back a few years.

Coxy
I considered a web service but didn't like it: it means they can't use their application if their internet connection is down. The application does a lot of date-dependent stuff, so if they changed their clock they'd really be shooting themselves in the foot. I'll edit the question to include this.
teedyay
... still, I suppose it's nice as a secondary solution: let them use the application if the web service can't be contacted; only lock them out if the web service definitely says "no".
teedyay
+8  A: 

Well here are some things I can think of

  1. Put a logic bomb that depends on one of your people logging on - so within a certain number of days of the last login application shuts down.
  2. To use a date based lockout and store the date in a table in SQL server. But encrypt the value stored using a standard algorithm that uses a salt buried in your code. This way you avoid exposing the date to the sys-admin.
  3. Using the method above store a large integer value from which you countdown as soon as the application loads into IIS - once it reaches zero delete the value in the db and lock down the application - you would have to reset the value using your encryption for it to work again.
  4. Security by obscurity is fine if this application but if you want to market this as a product then you would need some kind of encryption.

None of these are foolproof though...
Disclaimer: I am not any sort of legal expert - I answered this from a technical viewpoint alone. I personally would not do this since I think it's morally ambiguous.

Nikhil
Thanks. We can't use 1 since we won't be regular users of the application and they could rightfully deny us access to it; 4's not a problem cos it's so client-specific. 2's probably more or less what we'll do. I like 3's idea of removing all traces of the expired key: that's pretty sneaky! :-)
teedyay
+5  A: 

Couple of points to consider:

Is this even legal? Assuming you aren't planning on disclosing this Easter Egg, "Unless it triggers, the customer must never be aware of the time bomb's existence", you might be in for some legal trouble...

If the customer has access to the source then I can't imagine how you could include anything that they couldn't hire a developer to remove. Even if the IT guy isn't a developer it's not beyond their ability to hire another developer to reverse engineer the code.

Lastly, bad karma... If you are really working with a customer whom you don't think you trust to actually pay, then why work with them at all? I would expect that you would want to put everything on the table and get a full commitment from the customer before performing the work. If the customer balks at committing to pay then I would walk..

Dscoduc
Good points, and I'm glad I don't have to consider most of them myself! :-) The customer owes us a substantial sum and we've been wrangling with them for quite some time. Our management feel it's time for extreme measures.
teedyay
"Our management feel it's time for extreme measures" ... like, y'know, getting a lawyer?
Piskvor
Yes, I believe they're doing that too. This is just to stop them denying us remote desktop access to their server and thereby getting our application for free.
teedyay
If the customer has access to the source, then you're right, the client already has the program for free.
They have no source access, fortunately.
teedyay
If you're doing this to prevent them from "denying you remote access", then you're guilty of extorting them. This is illegal, regardless of what they have done to provoke this response from you.
Lasse V. Karlsen
+6  A: 

I really don't see any scenarios where this would end well. If you're worried about being paid (and they're presumably worried about paying for an app before it's delivered), what about setting up some kind of escrow? They put the payment into escrow with mutually-agreed provisions for releasing the money, and you then continue work knowing that the money has been set aside until you finish.

Alex Zuroff
I agree. I'll let my managers worry about that though - I know where my talents lie and they're much more in software development than in running a business. :-)
teedyay
Then you should protect your talents. If the company sues you for breaking into their servers and performing what basically amounts to vandalism, your software development career might come to a screeching halt.
Lasse V. Karlsen
+1  A: 

If you want the date to be on the server itself and not on the internet, it seems security through obscurity is your only bet. This is sensible though - you wouldn't want the application to check on the internet each time it starts for the date and die when there is a bad internet connection.

The easiest method is saving the date in the assembly itself as a variable. If you're afraid of simple decompiling encrypt it and store the key in the assembly too. If you think you would like to change the date in the future store it in the DB/web.config (encrypted of course). For encryption you can use anything from base64 to public key cryptography. Obviously that won't hamper serious decompiling of your code... but it is good for starters.

On a side-note, does 'logic bomb' reminds you Swordfish too?

maayank
It didn't remind me of Swordfish, no, but we'll consider strapping some C-4 and a large number of ball bearings to their server, just in case... ;-)
teedyay
+11  A: 

I agree with the comment about calling it a trial version and letting it expire. In one of our products, a web publishing system, we have a common page class that will check the users license key and if it isn't valid we will print out a message at the top of all pages. The message is very visible but it does not affect the way the program works.

To do the check we store a "registration key" in the web.config file. We compare this with a key that we calculate, and the algorithm for calculating it is stored in a separate assembly. If the keys match we assume that the product is licensed.

For our use we only supply a customer name to the registration key calulcation algorithm, but you might want to add a version number or some other date. The registration key is then generated by calculating an MD5 hash of the supplied name combined with a secred code (some random bytes in an array).

This is by no means fool proof or very solid, but it is simple and has been enough for our use.

Rune Grimstad
Hmm, we might be able to wangle calling it a trial version, given that they haven't paid for it yet and insist that it's not fully-functional (which of course we dispute). Thanks.
teedyay
Hehe... Of course you dispute it! One question though. Will they use the product if it isn't functional? And if they will, could you not remove some functions to make sure the product isn't functional any more?
Rune Grimstad
I think they'd use the application as it stands: it's way better than what they were putting up with before.
teedyay
But note that you're on thin legal grounds if you remote into the servers of that company and then introduce the "trial version logic" after the fact. If the logic was there to begin with, and would already time out unless extended, that would be one thing, but anything they do now to provoke this manually falls under vigilante-like-laws in most countries.
Lasse V. Karlsen
A: 

Move some logic to a webservice on your own servers. Let the customer application be dependent on that webservice. Have a good reason to move that logic, like "Its our core-business so we need to control that", make that change as a part of a "new version" of the program.

Renew the contract with the customer with a new section that tells that if they dont pay, your webservice will be disconnected.

If they dont want to sign the contract they dont want to do business with you and you can disconnect the webservice for them, if they sign, they agree to the new terms.

This is really the only way to do it if you want to be sure they cant use it if not payed. Else you have to relay on suing them or threats like that.

Stefan
Nice advice. We wouldn't be able to pretend we need any logic running on our servers in this instance, unfortunately, but building it into the contract is a good idea. Probably hard to do at this stage, but could be a good idea for future contracts.
teedyay
+2  A: 

Knowingly introducing a "time-bomb" like that is certainly illegal. Your boss isn't the first one to consider it and won't be the last. His best bet is to halt production implementation until a payment is made.

Tequila Jinx
Maybe... the argument is largely over whether the application is currently fit for purpose. They say it isn't, we say it demonstrably is. The concern is that they'll refuse to pay but keep the totally-usable version of the application that's currently on their server.
teedyay
"Certainly illegal": can you cite some relevant legislation? That could be useful. Also, do you know if this applies to bespoke software that they haven't paid for yet?
teedyay
+1  A: 

Like many others here , I would say don't do it. I don't know if it is illegal but it just doesn't feel right. Business must be based on trust and open discussion must take precedence over such schemes.

Talk about your concerns and freeze development, if necessary - I assume they want the product after all!

paul
They do want the product and what they've already got is sufficient to run their business. The concern is that they'll keep what they've got, but claim it's not fit for purpose as an excuse not to pay.
teedyay
There's no real recourse if you burn the bridge by destroying the product you gave them. Who owns the source?
We own the source, fortunately. I imagine we'll keep advancing the expiry date whilst negotiations are taking place; it's only if they walk away that the time-out will trigger.
teedyay
+40  A: 

"They're looking unlikely to pay for it, so our boss would like us to introduce a time bomb."

You're being asked by an incompetent businessman to implement a technical solution to a business problem. If your client is not going to pay, your Boss should be dealing with the situation like an Adult and not screwing around with logic bombs like a highschool hacker.

It's unethical, probably illegal, but mostly it's just stupid.

nailitdown
+10 if I could. Trying to solve non-technical problems by technical means WILL create other problems and likely won't solve the original one.
Piskvor
You're probably right, but to be honest if I was running the business it would have gone bust years ago. I'll leave the management decisions to them and I'll stick to writing robust code. (I'll consider pointing my boss to this page though...)
teedyay
I agree with teedyay. His question wasn't about whether or not this is a good idea, he was asking about the technical aspects of implementing it. Doens't matter if they use it to disable the program, or use the new technological insights to enhance the security, he was simply asking for tech help.
It may well be unethical, but then isn't failing to pay your bills a little unethical as well?
Martin Brown
paying your bills has nothing to do with ethics :) ... teedyay/devinb - noted on the question's content, but i really think questions of this nature need to be responded to with good advice, not just technical advice.
nailitdown
You cannot separate the technical from the ethical. Do we offer advice here on how to build better worms and viruses? As interesting as it might be, I hope not!
paul
@nailitdown I agree completely, however, you come to stackoverflow for the technical advice not the legal advice. I should hope they have better legal sources than those of us here.
@Paul worms and viruses can be made out of the advice we freely distribute here. It's all a matter of phrasing your question. teedyay was more blunt in his question and so the answers he got focused on ethicality not technicality. If he'd been more subtle with the question, people would've happily
If the service in question had been a hosted one, or similarly continuously provided by the owner company, then turning off the service is a valid, and legal response. But the current response is equal to the power company blowing up my microwave unless I pay the electrical bill. They're not allowed to do that, regardless of how much I owe them. That this is software does not change the fact. There are laws governing this, and while the owner company might be ticked off, if they expect the other company to obey the law, they should obey the law themselves.
Lasse V. Karlsen
A: 

Technical problems are handled by programmers, business problems are handled by lawyers. Your boss needs to use the right tool for the job.

annakata
Thank you. It's nice to know that though my boss thinks I'm a tool, you don't. ;-)
teedyay
heh - the double entendre did occur to me, but I thought the analogy was appropriate
annakata
In this case, his boss is looking at both aspects, which is always a plus.
+3  A: 

This sounds like a job for a lawyer.

Apart from that I would use a simple configuration file that contains the expiration date. Then store an RSA encrypted hash of that date in the configuration file, too. If you update the expiration date then you just update the encrypted hash, too. The application reads the date on a regular basis and decrypts the hash with the public RSA key and then checks the hash. If they tinker with the date, encrypted hash or public key then the application stops working.

unbeknown
But be careful they're not able to change both the encrypted hash and the public key used by the app for decryption. Then they'd be able to set the date to whatever they liked...
Martin McNulty
Good thinking. I guess we'd keep the public key hard-coded in the app to make it much harder to change.
teedyay
+4  A: 

If the customer has all pieces of the software, you cannot fully prevent it.

The only proper way is to make the application depending on some component that you own, for example it could require an activation after some time, or a ping to your web server.

This could be achieved by taking the installation date and using it as some sort of salt/cryptographic key and encrypting all data with it. You could then compare against that installation date. If the customer screws with it (setting the clock back), you will notice it since you have the original installation date. If they change the date, that will also change the cryptographic key and thus the data can not be decrypted anymore.

There is still a way around it, but with any time based solution you somehow do need to keep the installation date as a base to compare against, and you need to make this tinker-safe, hence the idea of using in some sort of encryption to protect all data with it.

Michael Stum
+2  A: 

Don't put you name around anything you do and remove all existing comments that have your name in them. If it does go to legal and your name is on the program your boss could easily throw you under the bus and say he had nothing to do it with it. I would seriously re-consider on following this direction. I know it's managements decision but if your doing the work that could easily come back to bite you.

Robert
A written notification signed by the boss would be more useful
Jacco
Besides, if they use Source Control, the Logfile/diffs of Commits is more interesting than comments.
Michael Stum
very true. basically don't do it
Robert
+1  A: 

This is fairly underhanded, but you could just write a scheduled task that executes a program which salts all the passwords. It doesn't ruin any data, and as long as you have access you can disable the schedule task. Also, if something happens where you want to give them the information back, it would be as easy as unsalting... desalting... the passwords.

As with many others, I would have reservations about actually implementing this.

Haha! That's genius! Passwords are stored salted and hashed in the database anyway so they'd never notice the change. The danger is that they'd spot the scheduled task before it ran, or restore their database to the previous night's backup, thus restoring the passwords. Nice idea though!
teedyay
+5  A: 

Setting the ethical issues aside, if you're worried about your serial number implementation being hacked why not use an X509 certificate? If, for example, you have a Windows box with certificate server installed it can exposed a certificate revocation list on the internet.

Issue each client with a client identification certificate (bonus if you are supplying update checking to a central server - now you can use client/server HTTPS without worrying about passwords).

If the client doesn't pay then revoke the certificate. In your application startup simply load the certificate and check it's validity ...

blowdart
+2  A: 

I am not a lawyer, but heres my perspective: If they are claiming the program does not work and it is unusable, then they cannot later argue that it 'works less' and hold you responsible for damages unless they already made partial payments for what does work.

I would get their complaint in writing before you try any of the suggestions here. (I would add that the 'free trial' route seems safest)

zsharp
+3  A: 

Two thoughts:

1) I would host the application for them off-site until they pay, or until they put the money in escrow. If they say it doesn't work and won't pay then they won't mind if you turn off access whilst the agreement is sorted out, will they?!

2) We've done similar to this before. We spent far more time considering how any possible "time bomb" would be 100% bullet-proof so that it could not go off by accident either before the cutoff date, or at some time accidentally after having been "de-fused". For example, it may be better to actually remove the code rather than to just change a flag from "Trial" to "Unlimited use"

Kristen
#2: Very good point. We'll release a version without the expiry check after they've paid us and we're all friends again.
teedyay
+1  A: 

I would implement some kind of method in a compiled dll that you store in the bin directory. Call it something other than timebomb.dll.

You should then have a method in this dll that returns true or false:

public bool hasTimeExpired() {
  //Pseudocode
  DateTime expires = new DateTime(Janurary 10, 2009);
  return ( DateTime.Now() >= expires );
}

Just check the hasTimeExpired() method on Application Startup (global.ascx??) or on certain code pages, depending on how you want to handle the expiration message.

The dll in the bin directory would be easy to replace with a new compiled version when you wanted to turn off the timebomb or to extend the time. It would have to be decomplied to figure out the expiration date and would be easy to circumvent if they find out how it works, but as you said, the admin in question probably wouldn't do this.

Other than this, you really need to be working with a Lawyer, but sometimes a lock on a piece of borrowed software like this is more effective and cheaper than a Lawyer.

Redbeard 0x0A
Ooh! I like that! Though instead of returning a bool we'd return an encrypted copy of the expiry date to be decrypted in the main app, but that's a nice sly place to hide it, and it can be changed without restarting the application (we use sessions in the app, which would get cleared on a restart).
teedyay
Dropping that new dll in the bin directory will most likely cause IIS to recycle the AppPool and recompile bits of the application.
Redbeard 0x0A
+2  A: 

You might want to warn your boss that if his customer suffers any monetary loss (including loss of customers), your company is going to be liable for that loss and probably penalties, too, plus your company's legal fees. And, if the company doesn't survive the lawsuit and settlement, you'll be out of a job.

I'd think twice before just going along with this if I were you.

Ken White
Thanks, I'll mention that to him. I think we'll be OK in this case though, as they're not using it for running the business live yet.
teedyay
That doesn't necessarily matter. If they did any kind of significant work with the expectation of using it to run the business (eg., new servers, increased bandwidth, advertising new features, etc.) it could still be an issue. Much better safe than sorry sometimes. :-)
Ken White
+1  A: 

I can't speak to the legal issues.

Technically, I supposed you could do this. Make a key pair, and use the private key to encrypt a file with an expiration date. Your app will use a public key to decrypt the file with the expiration date. Every time the program runs, prominently display something like "57 days left until the license expires. yada, yada." That way, they have a continuous warning that the app will stop working.

As far as then corrupting any data after the expiration, I wouldn't do it. I think I'd encrypt some key items in the data that require the app to decrypt.

It's hard to get around a sysadmin that will set back the clock, though. But, if it has a net connection, you could have it "phone home" in order to get the key, and not work at all if it can't get it.

Don Branson
No, we certainly wouldn't corrupt the data: we'd only lock them out. I like the countdown warning idea - that should cover our asses somewhat. Thanks.
teedyay
glad i could help.
Don Branson
A: 

Do the Anti-Virus route, make an external call for "Updates". If you don't get the updates the application stops working if they don't pay, stop giving them updates.

I think it's the wrong solution to the problem, but I understand that your job is to do what you are told.

Bob The Janitor
"... do what you are told." *resists Godwin's law* ;-)
teedyay
+2  A: 

Thanks for all your responses!

We didn't quite do what any one person suggested, but used ideas from several of you.

Firstly, we stopped calling it a time bomb, and called it a licence instead. As the software is (arguably) incomplete at present, and as the customer hasn't paid for it, we can call it a test version that expires. This (probably) gets us past most of a legal minefield, and (as zsharp pointed out) if they claim the product is substandard, they can't really complain if they can't use it.

Anyway, the technical implementation goes like this:

We wanted the expiry date to be hidden where it wouldn't be stumbled across, and if it were noticed, be in a form that wouldn't be readily modifiable. It also had to be somewhere we could be sure wouldn't be affected inadvertently, even though it's on a server we don't have all that much control over.

So, we encrypted the expiry date and put it in an Extended Property on the database that the application uses, giving it a suitably misleading name.

The application checks the key on startup, setting a static boolean flag to true if the application hasn't expired. Every page in the site checks this flag and bounces the user to the error page if the flag is false.

We're happy with this solution for the following reasons:

  • It's easy for us to change the expiry date of the application.
  • There's no reliance on the internet being accessible, nor anything else beyond their server.
  • The protection will survive backups and restores, or the application being moved to another box.

When the arguments have stopped, they've paid us and we're all friends again, the next upgrade to their application won't have the check in it at all, ensuring this forgotten piece of code won't be accidentally triggered at some point years down the line (thanks, Kristen!).

teedyay
//Addition: Being the "incompetent businessman" (see topvoted answer above ;-), I feel the need to explain that this was not our *only* approach to solving this problem. However, the nice end result is that we were able to complete the application and the client was able to fully pay for it. Everyone happy!
h4xxr