Encoded 3nd Party Mods??? No, thanks.

[ChrisTERiS]

Hello,

 

After a long time, of inactivity I decided to start my site (No Hosting Provider) based on WHMCS. To make it fit to my special needs, I search to find some addons to use with it, and also to install some others that I've bought at the past. What a surprise when I seen that even very simple addons (template customization) are encoded and use WHMCS's licensing mod.

 

My post here in NO WAY means that I'm supporting breaking license rules for multiple installations etc. But from the other point I can't accept to have a site which will waste resources for connecting to other servers for licensing check. I'm developing PC Applications since 1984 (yes, 26 years now), and Web developer since 2006, having already more than 25+ full modules for vBulletin. When I'm saying full modules I don't mean just an extention to current features but a full script like Classifieds, Dating, Newsletter, etc etc. I'm also one of the first (if not the first) who bought WHMCS Licensing addon at 14 Nov 2008. But I bought it having in mind to protect only my flagship products (priced over $150) and not remplate modifications of $10.

 

I've search in the sites of those who are selling WHMCS commercial addons using the licensing and nowhere I found a notice on how often they're runing the licensing check. By default the licensing module runs the check every 15 days but this is something editable by the coder. I can accept a one time check just for recording domain details, but to have 5 addons connecting everyday to servers worldwide for license check ... sorry NO!!

 

Maria

Edited January 15, 2011 by ChrisTERiS

[expandmind]

+ most of the modules are supported for some months and then some of them changing name so you need to buy new license and some others just not working with new releases of WHMCS.

 

I believe as WHMCS is not open source project there are must be some serious restrictions as in case of Mari's.

[Grizzlyware Josh]

@MicroHellas You're obviously a skilled and telented developer, and I can't see why you can't understand the need for licensing modules. If you're running licensing checks, you need to encode them, or there's no point.

 

I understand what you mean, but my flagship module is The DMCA Manager and I think I'd be very upset if the source got out, not for people not buying it, but because of the ammount of time I've put into developing the framework for my addon modules. Developing a module now is a lot faster for me, and having the competition potentially having my source, is wasting my time.

 

I invest a lot of time into my modules, and I know the other developers do too. We need a fair few sales to start making a profit as I'm sure you know. We all like free, open source things, but how do we bring home the bacon if everything is free?

 

If I couldn't licese my scripts for what ever reason, I wouldn't bother making them. Who am I to know is using them, if there are no restrictions? It's like not patenting the invention of the year and not caring who uses it, for free. All your work, wasted. No way of you reversing that is there. It's sad that we have to license & encode them. If the world was a more honest place, everyone would have what they want.

 

I don't mean to argue with you, I agree with you. It's a shame that scripts have to call back to the mothership. For the developer & customer. But it has to be done, and I don't think it's going to change. Low cost modules, I agree. $5, I wouldn't even bother encoding it. I brought an addon a few months back, I got sent a license key. I opened up the file and it wasn't encoded, and I thought, what's the point of the license key then?

 

</rant>

[ChrisTERiS]

I don't mean to argue with you, I agree with you. It's a shame that scripts have to call back to the mothership. For the developer & customer. But it has to be done, and I don't think it's going to change. Low cost modules, I agree. $5, I wouldn't even bother encoding it. I brought an addon a few months back, I got sent a license key. I opened up the file and it wasn't encoded, and I thought, what's the point of the license key then?

 

</rant>

 

We're NOT ARGUE, we're just discussing a hot topic. First of all I want to make clear that English is not my native language, so many times there are typos or wrong wording which maybe causes problems.

 

In no way I'm against encoding (hidding) the code. I know very well how many nights most of the coders had nightmares for an unresolved bug. I also know that even a single sale is valuable for those (including me) who are developing modules. Developing modules has 2 major disadvantages:

 

1.- The market is much more smaller than developing the same script as stand alone PHP script. eg getting an own example. My last mod is a Newsletter. If it was a stand alone PHP script my markeyt should be any type website. By doing it as an addon for vBulletin, my market is reducing not only to those site which have forums, but, even more, to those which are have forums and using vBulletin as forum software. Exactly the same is for WHMCS mods. You're looking for clients not only using a billing system, but for those using billing system and this system to be WHMCS.

 

2.- While developing a standalone PHP script, updates/upgrades is a coder's decision for when to do it (many times the amount of sales is a reason), in modules the coder must always follow the main products upgrades (a real hell for me with so many vBulletin updates).

 

So, we can bypass the encoding side. Actually by encoding code is also secure for clients as scripts with open source is more weak to hackers to find possible security holes.

 

I'm also not against the licensing. If someone pays for one license, he must use it for one domain.

 

What I'm against for, is the missing information to customers about how the licensing works. eg "I'm using licensing which works like ..... and connects to my server for checking every .....". And most important, what is happening if the seller's server is down. Matt is clear on this topic as for WHMCS. It says that the frontend will continue working, while admin panel not.

 

I believe that one check at the initial installation and turning off "Allow license reissue by the user" is the most fair way for both clients and sellers.

 

Yesterday I bought a commercial module for WHMCS. It's a complete mod, a full application, at a price of $50. I found normal to have it with license, even if there are the information that I want as I wrote above.

 

Today I was ready to install a remaking of the clientarea, which costs $10 (AUD). Bad surprise for me when I seen it using licensing. I'll not comment author's decision. What I want to know is whar happens if something goes wrong with his server? We're talking for clientarea. What the users will see if the licensing check fails??. Ofcourse I just droped any idea to install it, and to buy some more mods that I've in mind from the same company, as most probably they'll use the same way of protection.

 

Once more. We're discussing and not fighting

 

Maria

[wsa]

I see that one time also

[Sophia]

Today I was ready to install a remaking of the clientarea, which costs $10 (AUD). Bad surprise for me when I seen it using licensing. I'll not comment author's decision. What I want to know is whar happens if something goes wrong with his server? We're talking for clientarea. What the users will see if the licensing check fails??. Ofcourse I just droped any idea to install it, and to buy some more mods that I've in mind from the same company, as most probably they'll use the same way of protection.

 

Once more. We're discussing and not fighting

 

Maria

 

I believe thousands of people bought this mod (me included)... I have not read any complaints here yet. In fact the author is very helpful.

Actually I was under the impression that once a mod is licenced, it won't check anymore... but I could very well be wrong. Nice discussion, thanks for asking. I guess the author of those mods will be able to provide the ultimate answer

[sparky]

I take it that you are refering to my mods in particular the clientareahome mod.

The license check is done every 15 days. Once checked a local key is stored on your server which future checks then uses the local key. If after the 15 day check the licensing server cannot be reached it will try for the next 5 days before the license shows invalid. If by chance the license becomes invalid a client friendly message is displayed.

<h1>I</h1><h3>Your custom ClientArea home page is temporarily unavailable.</h3><h4>Please notify the administrator of this error.</h4>

If you are logged in as an admin you will see this

<h3>Your custom ClientArea home page license is Invalid.</h3><h4>You are viewing this notice because you are logged in as the administrator.<br />Please contact TsHosting Support.</h4>

If you saw the license check logs of just how many failed checks are done with someone that uses an invalid key (like 123456789) you would then understand why it is licensed to try to control the use of the mod to those who actually have purchased them.

In the event that I stop doing mods for whmcs (can't see that happening soon) the full source will be released to those who have purchased them.

 

If you were really concerned about the checks then why did you not open a support/presales ticket to ask directly?

 

If you are really concerned about the checks then I could encode the main file so that it will never check but will only work for the 1 domain and IP. Past experience with this is that it becomes very time consuming and also can be an inconvenience if you IP changes. Currently if your IP changes you just log into my clientarea and re-issue the license, done easily and with very little time used to do so.

[ChrisTERiS]

Past experience with this is that it becomes very time consuming and also can be an inconvenience if you IP changes. Currently if your IP changes you just log into my clientarea and re-issue the license, done easily and with very little time used to do so.

 

Everybody has past experiance and many of us bad experiance. There is a company (vbcover.com) which its website gone down for 2 1/2 months last year. They said it was his provider mistake who was unable to restore their data. Can you imagine? They have 10+ modules with many installations and all of them stoped operating.

 

I thought that there was no reason to open a support ticket. This is something that needs a fair discussion between coders and clients. For my own use I've already got the decision to not use that mod. But even if your mod was the reason to start this discussion, there are dozens others here doing the same, so it's not a personal issue.

 

Still I believe that the one time licensing check during installation is enought. Then turn off the "Allow users to reissue" and everything is ok. Nobody will have problem for one time connection.

 

Finally to comment a phrase of your post: "Your custom ClientArea home page is temporarily unavailable.</h3><h4>Please notify the administrator of this error.". What if I've 1,000 members seeing this message? Do I've to get 1,000 supports tickets for your mistake (assuming that is an issue with your server). Or do you think that users don't understand the real meaning of this message.

 

Maria

Edited January 16, 2011 by ChrisTERiS
Type (pad instead bad)

[sparky]

Finally to comment a phrase of your post: "Your custom ClientArea home page is temporarily unavailable.</h3><h4>Please notify the administrator of this error.". What if I've 1,000 members seeing this message? Do I've to get 1,000 supports tickets for your mistake (assuming that is an issue with your server). Or do you think that users don't understand the real meaning of this message.

In just over 3 years now this has not posed any major problems. The main reason for an invalid license is from when some hosts move servers and just needs to reissue the license.

You will also find that most clients do not read the entire message and will only comprehend the "Temporally Unavailable" part which implies that it will be back online soon. The very few that will actually notify you would most likely be minute so the chance of getting 1000 tickets would be slim.

Also the chance of 1000 users being online logging into your clientarea at the same time would be highly unlikely. Most apache webservers are limited to around 256 concurrent connections so you would need multiple servers to handle the load (load balancing). As whmcs is limited to only 1 server as part of its license your example of 1000 users is greatly reduced.

[Grizzlyware Josh]

@MicroHellas I wasn't arguing, I was reassuring you I wasn't

 

All of my modules run the same as Sparky's in the way of license check days. What you're saying about 'Check once' at install. What if Client A Orders a module. They install it, it calls back, good license, run. Never check again. He then contacts support and says, I've moved servers, please re-issue my license (If you've disabled the client from doing it themselves). You re-ssue it, he then 'sells' that license to someone else, or even gives it for free. They install the module, it calls back and gets a good response. I can run here. What about Client A who has the module running on his 'old' server? It's still running fine, as it hasn't been coded to call back at intervals. So it runs happilly. That could go on forever, and you're just replicating your license.

 

Losing track of your licenses, means anyone could be using it. They HAVE to call back. There's no other logical way for it to work, unless you lock it to the hardware which gets complicated. Allow customers to re-issue their licenses like I do, makes life easy for everyone. 15 Days between callbacks and 5 days without contacting the server is a long time. It's not that often. In future, I will add to the header of my code, how often it will call back, if people feel they want to know, I have no objection.

[ChrisTERiS]

@MicroHellas I wasn't arguing, I was reassuring you I wasn't

 

All of my modules run the same as Sparky's in the way of license check days. What you're saying about 'Check once' at install. What if Client A Orders a module. They install it, it calls back, good license, run. Never check again. He then contacts support and says, I've moved servers, please re-issue my license (If you've disabled the client from doing it themselves). You re-ssue it, he then 'sells' that license to someone else, or even gives it for free. They install the module, it calls back and gets a good response. I can run here. What about Client A who has the module running on his 'old' server? It's still running fine, as it hasn't been coded to call back at intervals. So it runs happilly. That could go on forever, and you're just replicating your license.

 

Losing track of your licenses, means anyone could be using it. They HAVE to call back. There's no other logical way for it to work, unless you lock it to the hardware which gets complicated. Allow customers to re-issue their licenses like I do, makes life easy for everyone. 15 Days between callbacks and 5 days without contacting the server is a long time. It's not that often. In future, I will add to the header of my code, how often it will call back, if people feel they want to know, I have no objection.

 

 

This issue is easy as 1-2-3 to resolve. Add a function to remotelly remove the installation. So when someone contacts you for reissue, you deactivate his installation and reissue a new license. Working like a charm Believe me.

[Grizzlyware Josh]

This issue is easy as 1-2-3 to resolve. Add a function to remotelly remove the installation. So when someone contacts you for reissue, you deactivate his installation and reissue a new license. Working like a charm Believe me.

 

Yes that would work... So on a re-issue it will call to the last known install location, and deactivate it. Surely the owner of the site could just paste the local key back into his SQL Database, and it will work again? Or rollback 24 hours on a backup...? Then the script would know no different.

[ChrisTERiS]

Yes that would work... So on a re-issue it will call to the last known install location, and deactivate it. Surely the owner of the site could just paste the local key back into his SQL Database, and it will work again? Or rollback 24 hours on a backup...? Then the script would know no different.

 

Even if somethings that must be secret, here is one of the tricks that I'm using:

 

1.- I add a function in the encrypted file

2.- When I remotelly call this function (always with a secret password as parametter), the only that this function does is to CMOD 755 an image of the actual script (vBulletin for me, WHMCS for you).

3.- I've also add a function which with erery run of functions.php checks the permissions of that image. If it founds it 644 continue ok. If it found it different halts the programm.

 

That's why I told you that is easy as 1-2-3. Just put yout mind to work a bit to find other similar tricks, and let the user restores the database as many times as he wants. The only that he will succeed is to waste his time:-)

 

Maria

[Grizzlyware Josh]

That's a very clever trick! But a restore of the account would fix it.

 

I think it's me, I'm very protective of everything. I'll always try to think of a way to flaw protection of a license check. I came up with a way to spoof the WHMCS one the other day. Compliated, but if someone wants somethign for free, they'll do it. I haven't tested it, but I think it would work.