Gareth Jones

I like to stay up-to-date with my software, always making sure to take advantage of new functionality and security features as soon as they’re available. This applies to Skype just as much as anything else, so a couple of weeks ago when I noticed that Skype had released a new version I downloaded and installed it as I always do.

After installation I loaded the program to take a look and see if I could spot anything new. To my surprise and slight horror, a pretty big window called Skype Home opened alongside Skype itself which I quickly closed, assuming that it was only showing because of the fresh install of the latest version. Just to be sure though I quit the application and loaded it again, and to much greater horror this time Skype Home opened once more.

I had a look around for one of those “do not show at startup” tick-boxes that you sometimes get with stuff like this but couldn’t find one. I opened Skype preferences and had a look in there, hoping to find something similar to the settings in both Windows Live Messenger and Yahoo Messenger, but to no avail. It was then I opened Firefox and did some searching on Google to find various forums full of people lamenting about a new “feature” that Skype have added without any way to turn it off.

A number of things became apparent while reading these forums, such as the fact that Skype did something similar back in 2010 but backtracked in the face of mass protests from their users – so why they would try exactly the same thing two years later and expect a different reaction, I don’t know. Another potentially helpful fact I learned was that the issue only affected users who use Skype in classic view – those who use it in the new, social network-style view are unaffected as Skype Home is built into that interface. I say potentially helpful because sadly it wasn’t of any help to me as I don’t use that view – because it takes up two or three times more screen space.

The bad news was that Skype really haven’t allowed a way to disable the window and with only vague hints that such a way might be provided in the future I was given a choice: either go back to an older version (5.3.0.120 is the latest unaffected version which you can get from here) or find an acceptable workaround. I contemplated rolling back to the previous version but some of the changes in the change-log refer to fixed bugs, and the thought of re-installing software with known bugs didn’t really appeal to me so I decided to search for a solution.

After trying a few different solutions, the most elegant one I’ve found is ClickOff by a guy called Johannes Hübner from Sweden. This tiny little program continuously searches for other programs with defined window titles and performs default actions on them when they’re found. Apparently it was written with the intention of automatically responding to prompts (hence the word click in the name) but another task it’s ideal for is to close unwanted windows such as Skype Home. What makes it better than some of the custom-written programs out there that are specifically designed to target windows called “Skype Home” is that ClickOff will also work for users who use different languages. It can also be used with any other applications that might sometimes pop up unwanted windows (WLM does sometimes, even though I have specifically told it not to) or of course with prompt dialogs that you always answer in the same way.

Why am I posting this article today? Well yesterday Skype released another updated version of their messenger, and after the torrent of abuse they’ve suffered over the last couple of weeks I expected them to have included a way to disable Skype Home from within the program – but unbelievably they haven’t! So it looks like I – and many others – will continue to need ClickOff for the foreseeable future at least.

Update: It’s taken the Skype team an awfully long time to resolve this issue, but at long last they have. As of version 5.5.59.119 the Skype Home window no longer opens by default!

Company: Eltima Software
Product: Recover PDF Password
Price: From $39.95

Shortly after my SWF Protector 2 review, Eltima Software contacted me and asked me if I’d be interested in reviewing their Recover PDF Password software in exchange for a license. I required the services of such a tool just a couple of months back and at the time I used a 50-use trial from another vendor, so I knew that this was something that could come in handy.

I installed the application without any problems, though as it uses the same registration format as SWF Protector 2 it’s probably susceptible to the same issue if you happen to not put in the correct serial.

When the interface opened up, I was surprised to find that this tool is actually a brute-force password cracker rather than a password removal tool like the one I used a couple of months ago. Why would you need to spend time guessing a password if it can simply be removed? How curious!

The answer as I discovered after a little research (I don’t tend to use PDFs much in my line of work) is that PDFs have different layers of protection. There’s a “user password” and an “owner password”, and the “user password” protects against the opening of a file, printing and even copying and pasting of text and graphics, whereas the “owner password” protects against making changes to the document.

The PDF I unlocked two months ago only had protection against copying text – I was able to open and view the file without any problems, so obviously that aspect of the “user password” had not been used and as such the file was not encrypted. Because the file wasn’t encrypted, the tool had been able to simply change a couple of bytes to disable the requirement for a password and had unlocked the printing ability for me pretty much instantly. However, had the file been protected against opening – and therefore been encrypted (128-bit AES encryption by default) then this tool would not have worked and the only way round this is by brute-force – which is where Recover PDF Password comes in.

I created a PDF and set the “user password” as “t3st”. I opened it in Recover PDF Password and as I knew the password was made up of lower-case letters and numbers, I selected numerals and lower-case letters from the options. Of course, if I really needed to use this tool the chances are I’d have no idea what the password was and as such would have to tick every box on there (including upper-case, special symbols and spaces), which would dramatically increase the time taken to crack the password as the number of potential combinations sky-rockets. The default length of the password to crack was 1-8 so I left it at that.

On an Intel Core 2 Duo laptop clocked at 2.2ghz, the password was cracked in just over a minute. A popup window informed me that the password had been cracked and it also told me what it was. It then asked me if I wanted to save a new version of the file that had the password removed.

I decided to test again but with every combination ticked to see what difference it made to the time, and as expected it was significantly higher at 58 minutes.

It’s important to note that the fact that it takes so long to crack a password this way is not down to any shortcomings with the software – there are just so many combinations of passwords that it naturally takes time to check them all. Even a password of 4 characters in length has over 78 million possible combinations when using all of these different characters (as a comparison, when using just lower case letters and numbers there were only 1.7 million possible combinations), so that the password was cracked in just 58 minutes is actually pretty impressive as it gives us a rate of around 22,500 password tries every second (maximum, though the real value will most likely be less as it’s unlikely that it had to try every single combination before arriving at the actual password).

There are more advanced options as well, such as being able to specify patterns within your password such as “pass??rd” where only the question marks are tested, but again this would only be useful if you already had a good idea of what the password was but I’m suspecting that in most cases you won’t.

I personally use much longer passwords than my test 4-character example when I’m trying to protect something though, and in the event that I’d have to brute-force my way into one of my own files I’m guessing it would take several days if not weeks. Again, that isn’t a problem with the software – it’s a problem with the method used, but when a file is encrypted with 128-bit AES encryption this method is really your only option.

After your file has been cracked it’s added to a history tab so that you can keep track of your passwords without having to have them cracked again, assuming of course that you don’t simply save the cracked version instead.

So, to round up if you have a PDF that you can open but it has limitations like not being able to print or copy/paste the text, your best way forward is to use a simple password removal tool as there’s no point trying to work out a combination on a lock if you can just break it off. On the other hand, if your PDF won’t even open without a password then a brute-force crack is your only option and in this case you need Recover PDF Password from Eltima Software.

Marks out of 10? Well, the software does exactly what it’s supposed to do and does it well. Brute-force cracks are always time-intensive due to their nature so it would be totally unfair to mark a piece of software down for not being instantaneous (though from experience this is what a lot of people expect from their software no matter how complex its task, simply because they don’t really understand what’s going on behind the scenes). Perhaps on a geek level it would be nice to know exactly how many combinations the tool had attempted before your password had been cracked, and there are a couple of instances where the software would have benefited from proper translation (when you save the cracked file the message says, “The file is written down successfully”), but for a tool that works through 22,500 password combinations every second in an effort to reunite you with your work, these are very minor gripes.

9/10

In the early hours of this morning I got an email from Quak Multimedia’s GameWrapper alerting me to the fact that someone from Uruguay had become the first person to try to steal some software from me. They tried to steal Quak Wordsearch. They downloaded the wrapper and then ran it on their local machine. In fact, they ran it twice.

Thanks to GameWrapper, they were presented with a message that told them that the request was unauthorised and they were prevented from playing.

GameWrapper not only allows for you to specify who can play your content and who can’t, but it also tracks and records usage around the world and alerts you to any unauthorised attempts to run your content.

GameWrapper isn’t listed on the Quak website as it’s not so much a product but more of a tool that I developed to serve its games, but if you’d like the technology to help protect your content then get in touch.

Around a year ago now I was working at my computer one night. Suddenly it made a few clicking sounds and immediately I knew that this was bad news. Unfortunately, while I considered my immediate backup options and tried to decide how best to save all of my files before my computer finally died, it blue-screened on me and refused to start up again. Yep, catastrophic disk failure. It hadn’t even given me enough time to make some essential last-minute backups.

I spent the next hour or so researching the best way to get my data off a broken hard drive and found a forum where one guy had frozen his drive in the freezer, arguing that the extreme cold would slightly shrink the parts inside and bring any contacts closer together. Why not try that? The disk had already refused to yield anything to the six different bootable recovery disks that I had tried so I felt that I had nothing to lose.

I wrapped the drive in a plastic bag to prevent moisture from getting inside it and placed it in the freezer. The next morning I removed the drive and found it to be so cold that my fingers stuck to the metal. I connected the drive to my computer and turned it on, not really knowing what to expect. Amazingly, it booted into Windows. I managed to move everything of any importance off the drive onto a second drive before the disk finally warmed back up to room temperature and failed again.

After buying a new drive and re-installing Windows and all of my other software, the first thing I did was look for a backup solution. I found one in Carbonite. Carbonite automatically and securely backs up the contents of your hard drives for roughly £30/year and offers unlimited storage. It’s continuous and automatic, secure and encrypted. It’s also available for Mac. The peace of mind that I get from knowing that even if my flat was to burn down to the ground, all of my music, my photos, my work – everything – is all backed up off-site on secure servers.

As a happy customer I’d recommend it to anyone.

Following on from the previous post about protecting your code with obfuscation, an obvious statement would be that the best way to protect your work is to ensure that no-one gets a copy of it! However once you put your work online, anyone with a cable or broadband connection could download it and make copies of it. Is the only option then to stop making your work available for download? Of course such drastic measures would prevent anyone from seeing your work at all and make developing a product totally pointless, but what if there was a compromise between the two? What if there could be a difference between what you gave people and what they actually saw on-screen when they ran that file?

Having a “key” file (which I’ll refer to as the Key) to access a “resource” file (which I’ll refer to as the Resource) centrally also means only ever having one location for that Resource, and so if you were to spot a bug in your Resource or if you wanted to add a feature, you’d only have to replace a single file for that change to permeate instantly throughout the internet.

Since your Resource would only ever be run centrally, this also opens the door for tracking. You’d be able to see who was accessing your resource and how often. If the Key was to provide information on where it was being run from you’d also be able to control the locations that had access to that Resource, and in effect you’d be making an “intelligent” Key that only worked for certain people.

All of this serves as the foundation for a piece of software that I have developed and called the Game Wrapper. Although called the Game Wrapper because I wanted to use it to serve my games to different websites, the same technology would actually work with any type of resource – games, animations, elearning etc.

I use Game Wrapper to serve games to various online gaming websites, so I know that every site has the same version of the game and if I ever want to add or change something in any of my games, I make that change once and upload the new file to my server and that new version instantly becomes the version that everyone is playing.

Game Wrapper also allows me to specify whether games are allowed to be played locally on a user’s machine or online only. If online only, I can also specify which websites are allowed to play it and this ensures that no-one steals the game to use it without my permission. If the game is ever run from a site that hasn’t been added to the Allowed list, I get an email that tells me which game has been run illegally and from which website.

I can also serve adverts before the game starts to load or I can serve the game right away – whatever’s best for any particular game.

Developers will know that when a Flash file downloads another Flash file, the downloaded file is stored in “Temporary Internet Files” so the scenario with which I opened the post about ensuring that users don’t ever get access to the Resource isn’t strictly true, but despite physically being on that user’s machine the file will only run if it’s run from the host website, only if it’s run from a Key, and only if the user is on the Allowed list.

Both the Keys and the Resources are also run through SWF Encrypt for an added layer of security.

Due to the unsecure nature of Flash, I’ve always been wary of having my work decompiled and its code re-used without my knowledge or consent. By default Flash offers very poor protection against this. While it’s undoubtedly impossible to prevent this from happening completely (despite various security software vendors’ claims), you can make the process so difficult that most people will give up trying.

Of course, not all Flash work will be a target to such piracy but games and elearning products can be targets because the cost and time of developing these resources legitimately can be quite high.

An easy way to protect your work against decompiling is to run your work through an obfuscator. I use Amayeta’s SWF Encrypt, and while a file that has been obfuscated in this way is larger in terms of file-size, the protection that this process offers your code is well worth it. Obfuscating your file like this makes the code almost impossible for a human reader to know what’s going on inside it, much less be able to steal it or change it for their own needs. In a decompiler the code will appear to be nothing more than a load of gibberish, and in fact some decompilers will be tripped up by the obfuscated file and won’t even open it at all.