9 Replies Latest reply on Jun 28, 2012 12:15 AM by NaturSalus

    Unlocking a locked runtime

    NaturSalus

      Title

      Unlocking a locked runtime & bypassing FM Password Recovey doings

      Post

      Hello,

      I have a "Trial Expiry" script that I use with my demo runtime applications, so that after a 30 day period the runtime application is locked and can't be opened.

      First question: Since it is plausible that I could lock (or time) myself out while playing with it. ¿What would be the right way to unlock it?

      Second question:

      Unfortunately current password and account setting does not protect an FM based runtime application from easily being hacked by applications like "Filemaker Password Recovery" . It seems that this software creates a new password that allows the hacker to gain access.

      In order to bypass this event, I thought to carry out a "password" check right when the runtime application opens; if the password used is the one that I sent to the legal user the runtime application opens, if not it doesn't open.

      Correct me if I am wrong but there is not a way to check that the user is using the password provided by the developer and associated to the user account.

      So, what would be the way to foil the doings of applications like "Filemaker Password Recovery"?

       

      Thanks,

       

      natursalus

        • 1. Re: Unlocking a locked runtime & bypassing FM Password Recovey doings
          philmodjunk

          First Question answer: make back up copies that do not include the lock. IF you lock yourself out, toss the copy and try again with the back up.

          Second Question: First, use advanced to strip out the admin account from the copy you distribute. Not sure this will work, but: give your password a unique privilege set name. Have your script check the privilege set name rather than the password.

          • 2. Re: Unlocking a locked runtime & bypassing FM Password Recovey doings
            NaturSalus

            Hello Phil,

            Thanks for your suggestions.

            • 3. Re: Unlocking a locked runtime & bypassing FM Password Recovey doings
              NaturSalus

              Hello Phil,

               

              Well bad news, your second suggestion didn't work.

              FM Password Recovery can easily locate all the account names and associate new functional passwords to all account namesFrown

               

              Maybe not the right time since, hopefully FMI, is working to fix some of the numerous bugs that are part FM 12 v1.0, but I am going to formally complain to FMI.

              • 4. Re: Unlocking a locked runtime & bypassing FM Password Recovey doings
                philmodjunk

                Hmmm, I didn't suggest checking the account name. i suggested checking the privilege set name. Does that make any difference?

                What you are requesting is a new feature. You can use http://www.filemaker.com/company/contact/feature_request.html

                to do that if you wich.

                • 5. Re: Unlocking a locked runtime & bypassing FM Password Recovey doings
                  NaturSalus

                  Hello Phil,

                   i suggested checking the privilege set name. Does that make any difference?

                  I did as you suggested, on open the privilege set name was checked. But it didn't make any difference since Filemaker Password Recovery is able to get the Account Names and assign any password of your choice to them.

                   

                  What you are requesting is a new feature. You can use http://www.filemaker.com/company/contact/feature_request.html

                  I must disagree with you on this one since FM password protection is useless, it is an issue that should be addressed urgently.

                  As a matter of fact I already logged the issue.

                  Can you imagine that any FM based application can be opened by anybody?

                  What a mess!

                  • 6. Re: Unlocking a locked runtime & bypassing FM Password Recovey doings
                    philmodjunk

                    I must disagree with you on this one since FM password protection is useless

                    The difference is in who will see your post. Report an Issue is intended for reporting possible bugs in the software. The TS folks that read it aren't likely to be the people needed to implement the design change that you want. The feature suggestion form is where you can post a requested design change and it will be seen by more/different folks at FMI than will be the case for your issue report.

                    I would also disagree that the protection is useless, but I am splitting hairs with you here. Password protection is like locking the front door to your house with a flimsy lock. It's better than no lock at all but a knowlegeable crook can easily get past it. It also requires getting a physical copy of the file. This does not apply to runtimes where you have to give users a copy of your solution, but many solutions never make it possible/easy for such individuals to every get that copy in the first place and in those cases, the lock isn't so flimsy.

                    You might also consider that people that get a copy of your file and get the authorized password can hand out copies of your file to others while giving them the password as well. That would seem to defeat this scheme even if the user did not know about this utility.

                    Such "password cracking" utilities have long been available for Filemaker files. Some early versions of FileMaker were laughbly easy to force open and get the actual passwords as they weren't even encrypted in older files.

                    Thus a number of schemes have been used to make unauthorized use of a runtime file more difficult. I believe we've discussed a few in other threads.

                    One trick that has come to mind might make the password "lock" a bit less flimsy, but if a user guesses correctly what you did, the file recover utility can still be used to get around it:

                    Hide a second database file in your solution folder with the same account name and password as Your Main file. I'm not sure, but you may be able to disguise this file so that it is not easily identified as another database file. In an "onOpen" script, use open file[open hidden] to secretly open this file and then use close file to close it again. If the user used the utility to change the password, they'll get a mysterious additional password log in window popping up that asks for the original password.

                    • 7. Re: Unlocking a locked runtime & bypassing FM Password Recovey doings
                      NaturSalus

                      Hello Phil,

                      If FMI hasn't implemented a better security system is because FMI customers don't demand it or because FMI thinks it is irrelevant. 

                      As soon as you offer a demo as I do, you are at risk.

                      No excuses for such a security hole in Filemaker Pro product.

                      Luckily the developer of Filemaker Password Recovery hasn't released v2 yet, and FM Pro 12 is secure for now. But since FM Pro 12 has so many pecularities, who dares to use it till the pecularities have been eliminated?

                       

                      I will try your suggestion.

                       

                      Thanks

                       

                      • 8. Re: Unlocking a locked runtime & bypassing FM Password Recovey doings
                        philmodjunk

                        I neither made excuses for this issue nor disagreed with you. And developers have complained about this issue for years. I suggested a better way for your feedback to be heard and you can take that advice or not at your option.

                        • 9. Re: Unlocking a locked runtime & bypassing FM Password Recovey doings
                          NaturSalus

                          Hello Phil,

                          Okay I requested the new feature as you suggested.

                          Until Apple Inc gets involved in FMI and puts in charge a competent management team, nothing will change significantly.

                          Something to think about: "FMI the kidding company"

                          Really sad...