Tag Archives: software

What every software vendor needs to know about SHA1/SHA2 and digital certificates

TL;DR : If you digitally sign your software you need to make sure you have an SHA2 certificate and use it to dual sign your software with both SHA1 and SHA2 digests.

Digital certificates are used to prove who authored a piece of software and that it hasn’t subsequently been tampered with. Starting with Windows XP SP2 you get a warning message if you download software that that isn’t signed with an appropriate digital certificate. So most commercial software vendors digitally sign their software. We grumble about price gouging by the certificate vendors and the hoops we have to jump through to get a certificate. But, apart from that, the system seems to work tolerably well. However Microsoft have thrown a spanner into the works by deprecating digital certificates using the SHA1 algorithm. I only found out about this a few weeks ago from a fellow vendor’s blog. Thanks for nothing Microsoft. If you are using a digital certificate you purchased more than a year ago, it is probably SHA1. This post explains what this means for software vendors, based on my research so far. I am not an expert on this topic and things seem to be changing fast, so please let me know if there are any mistakes or omissions.

I don’t digitally sign Windows software, does this affect me?

No. But perhaps treat Windows unsigned software warning with some skepticism until Windows software vendors sort this mess out. If you only develop for Mac OS X you can feel a bit smug (at least until the next time Apple nukes your development ecosystem from orbit).

What is SHA1?

SHA1 (Secure Hash Algorithm 1) is a cryptographic hash function that was used in digital certificates issued until recently. SHA1 was known to have weaknesses as far back as 2005. Microsoft (and Google) have finally decided that SHA1 is too vulnerable and SHA2 digital certificates should be used instead.

What happens if my certificate is SHA1?

If you signed your software with a timestamp before 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • It will be treated by Windows 7/8/10 as signed only until 01-Jan-2017.

If you signed your software with a timestamp on or after 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • On Windows 7/8/10 and you will get an ugly “The signature of <file> is corrupt or invalid” or “The signature of this program is corrupt or invalid” error when downloading. If you don’t see this, it might be because you haven’t done a Windows Update recently (shame on you).

Windows seems to treat software that has been downloaded from the web (with ‘mark of the web’) differently. So make sure you test a version of your software you have downloaded from the web. I carried out some tests on 01-Mar-2016 using an SHA1 certificate to sign an executable and then dowload it. It worked ok when downloaded using Firefox or Chrome, but was shown as corrupt when downloaded using IE.

How do I know if my current certificate is SHA1?

  1. Right click on your most recently signed installer and select Properties.
  2. Click on the Digital Signatures tab.
  3. Select the signature and click on the Details button.
  4. Click the View Certificate button.
  5. Click the Details tab.
  6. Look at the Signature hash algorithm.sha1 digital certificate

What should I do if my certificate is SHA1?

If you certificate hasn’t expired you should ask the company you purchased it from to issue you a new SHA2 certificate. They should do this free of charge. In the process they will revoke your SHA1 certificate, so you can no longer use it for signing. You should then use your new SHA2 certificate to double sign new releases (see below).

I have an SHA2 certificate, now what?

If you want a new release to be treated as signed on both Windows XP SP3/Vista and Windows 7/8/10 then you need to double sign the file for SHA1 and SHA2:

signtool.exe sign /f <pfx file> /p <pfx password> /t <sha1 timestamp server> /v <installer>

signtool.exe sign /f <pfx file> /p <pfx password> /tr <sha2 timestamp server> /fd sha256 /td sha256 /as /v <installer>

Note the the order of the above is important (SHA1 first).

The Comodo SHA1 and SHA2 timestamp server is:
http://timestamp.comodoca.com

You can add a /debug flag for verbose output.

If you only want to support Windows 7/8/10, then you can omit the first line (but why would you?).

You can use chktrust.exe to check the signature:

chktrust.exe <installer>

Note that only version 6.3 and later of signtool.exe (which comes with Windows 8.1 SDK and is also available here) supports the /as flag.

I always sign the program, as well as the installer.

Can I double sign .msi files?

I have seen reports that .msi installers don’t support double signing. But I don’t use .msi installers, so I haven’t investigated further.

What happens to software I signed with my SHA1 certificate after the certificate is revoked?

Software you signed previously will not be affected, e.g. it will be treated as signed by Windows 7/8/10 until 01-Jan-2017

How do I sign Windows XP SP1/XP SP2 software?

Windows XP SP1 doesn’t warn you if there is no signature, so you can ignore XP SP1. SHA2 signatures are not supported in Windows XP SP2. So you will need to have both valid SHA1 and SHA2 certificates to support XP SP2 and all the later versions of Windows. Its not clear that certificate vendors will allow this. Also, how many people with Windows XP SP2 (an unsupported OS) are out there buying software? I won’t be bothering to support signing for XP SP2.

Does this affect SSL certificates as well as code signing (Authenticode) certificates?

I believe so. But I don’t have any SSL certificates, so I haven’t investigated further.

How does this affect signing of device drivers?

I understand there are some differences for device drivers. But I don’t create device drivers, so I haven’t investigated further.

What is the difference between SHA2 and SHA256?

SHA2 is a family of two similar hash functions known as SHA256 and SHA512. SHA256 uses 32-bit words where SHA512 uses 64-bit words.

How secure is SHA2?

Er, it was designed by the NSA. Supply your own joke.

I don’t have a digital certificate, where can I get one?

I got my Comodo code signing certificate from reseller codesigning.ksoftware.net. They have a good reputation, and are significantly cheaper than Comodo. I don’t have any business relationship with them beyond being a happy customer.

Anything else I should know?

Microsoft has reserved the right to move the SHA1 deprecation date forward from 01-Jan-2017.

Acknowledgements

Thanks to Nikos Bozinis for first alerting me to this issue and to Mitchell Vincent of ksoftware.net for fact checking this article.

Further reading

http://zabkat.com/blog/code-signing-sha1-armageddon.htm

http://support.ksoftware.net/support/solutions/articles/215805-the-truth-about-sha1-sha256-and-code-signing-certificates-

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

Updates

02-Mar-2016: Added missing link and minor update.

03-Mar-2016: Minor update.

Software products are *not* passive income

Some people dream of creating a ‘passive’ income that generates money on auto-pilot while they go and learn tango in Argentina, or whatever their chosen path to the top of Maslow’s hierarchy is. In my experience, a software product is a long way from being a passive income. I know lots of people who own software product businesses. I don’t think any of them regard it as a passive income either.

While on holiday I’ve run my own business from a laptop in less than an hour per day. But the business would start to suffer if I did this for more than a few months. Even if you are not adding new features, software products require significant effort to maintain. Sales queries need answering, customers need support and bugs need fixing. New operating systems will often break things in otherwise stable products (particularly on Mac OS X). And there is always admin stuff to do: tax, accounts and a hundred other things. Marketing also requires ongoing effort, whether it be in the form of A/B testing, newsletters, SEO, PPC or blogging. If you aren’t continually improving your product and marketing, then harder working competitors are soon going to start eating your lunch. You can hire people to do the work for you. But then you have to train and manage those people. And the most capable people have a habit of going off to start their own companies.

There may be some products that can generate passive incomes. Perhaps ebooks, training videos and mobile apps. But I expect they still need significant amounts of ongoing marketing effort if they are going to earn more than pocket money. Remember – if it sounds too good to be true, it probably is…

Confessions of a bad software entrepreneur

If you read blogs and forums and go to conferences you will soon pick up that there are a number of recommended ‘best practices’ for being a successful software entrepreneur. I don’t conform to many of them:

SaaS product

No. Both my products are desktop based.

B2B market

Not really. Most of my customers are consumers.

Funded

No. I bootstrapped the business from my own savings.

Subscription model

No. My licences are a one-time fee.

Beautifully designed responsive website

No! www.perfecttableplan.com converts well, but it is certainly not beautiful or responsive (a new website is on the way though).

Co-founder

No. Just me.

Delegation

No. I have delegated bookkeeping to my lovely and talented wife (who also proof reads this blog) but I don’t have any employees or virtual assistant and do the vast majority of things myself, including all the marketing, sales, programming, documentation and customer support.

Drip email campaign

No. One day perhaps.

Focus

Not really. I like variety. I have 2 products under active development and also do some consulting and training.

Social media campaign

No. I have long since given up on Twitter and Facebook as marketing channels.

Mastermind group

No. I do talk with my peers in forums, at meetups and conferences, but not in any structured way.

Started young

No. I was pushing 40 when I started my entrepreneurial career.

Endless growth

No. I can’t really grow the business much more without taking on staff or becoming a workaholic. But I am happy just to maintain the current level of sales. [1]

Exit plan

No. I haven’t given it any real thought. I am quite happy doing what I’m doing.

But…

My one-man software business has made me a nice living doing a job I enjoy for more than 10 years. So I guess I must be doing something right. There is no ‘one true way’ to be an entrepreneur. If you have a good product with good support and good marketing, most other things are optional.

[1] Added after suggestion by Tom Reader.

Technical Debt

Software products tend to build up ‘technical debt’ over time. Every bad decision, kludge and shortcut made to ‘just get it working’ makes the product more brittle and harder to change in the long run. Technical debt is very hard to avoid unless you know exactly what direction your product will take in the future (unlikely) and you can guarantee that the platform and libraries you build it on won’t change (even less likely). Like real debt, the longer you leave it, the worse it gets. Every so often you need to repay the debt if you want to keep your product healthy. Otherwise it will gradually degenerate into a Big Ball Of Mud.

My seating plan software has been developed continually for over 10 years now. I have done regular refactoring over that time to keep technical debt to a manageable level. For example, early versions of PerfectTablePlan were a bit lax about how memory was managed in the genetic algorithm. This shortcut wasn’t a big deal when the genetic algorithm was solving seat assignments for a few hundred people. But it became a performance issue when it was solving seat assignments for thousands of people. So I had to do a significant rewrite of the genetic algorithm. For PerfectTablePlan v6 I am going to have to rewrite all the remaining code that uses Qt3 classes, so that I can switch the codebase fully to Qt5. Oh joy! Thank goodness for the strong typing in C++. If I can keep the technical debt in check, perhaps people will still be buying PerfectTablePlan in another 10 years.

Technical debt is an inevitable consequence of the fact that software products are a ‘work in progress’ (including the software you are building on top of). The fact that software is never really ‘done’ can be frustrating, but it has its upsides. I was recently in the French mediaeval city of Laon, looking at their beautiful cathedral. I noticed that there were four and a half windows at one end of the transept. Four and a half? On further inspection it was clear that the builders had changed their mind part way through the build and then tried to cover up their mistake. It is still visible some 700 years later. At least we get the opportunity to correct our mistakes and our customers usually never know…

technical debt

It’s great to be in the software products business

hard at work on my software businessThose of us who own software product businesses sometimes grumble about what a difficult business it is. Although its indoor work with no heavy lifting, it has it’s frustrations: software piracy, customers who moan about paying a whole $0.99 for thousands of hours of work, buggy third party software, RSI, chargebacks and the catastrophic consequence of accidentally offending the great god Google, to name but a few.

But reading Kitchen Confidential brought home to me just what a hard business it is to run a restaurant. You have to make a major financial outlay to fit out the restaurant and kitchen. You have rent and staff salaries to pay every month, regardless of whether customers come or not. Staff turnover is generally very high in the catering business, so you are continually having to hire new staff. You have to deal with drunken, unreasonable and dishonest customers. Possibly also drunken, unreasonable and dishonest staff, who have ready access to sharp knives and boiling liquids. Theft by staff can be a real problem. You have highly perishable stock. If you don’t order enough, you have to turn people away. If you order too much, you have to throw away the excess or risk poisoning your customers. You have endless deliveries from suppliers, which you have to check to ensure they are the correct amount and quality. You have to keep the restaurant clean. Extremely long hours are standard. Even if you are doing well, you can’t seat more people than the restaurant can physically hold. A restaurant that has to turn people away Fridays and Saturdays might be empty on Monday. And success brings its own problems as you can only increase the scale of the operation by expensive and disruptive  measures such as opening a new restaurant or moving venue. The relentless overheads of staff, rent and stock mean that cash flow is a huge issue. It’s no wonder that restaurants fail so frequently.

Running a software product business is pretty cushy by comparison. You can start your own software product business with just a PC and a generous dollop of time. Nearly all the issues related to manufacturing, suppliers, stock and shipping go away when you are dealing with electrons rather than atoms. If you do make a mistake, you can usually put it right just by making another release. The worst a disgruntled customer is likely to do is post a snarky comment on a forum or send you a nasty email. High margins and low overheads means that cash flow is much less of an issue than for most other businesses. Software businesses also scale much more easily than other businesses. You aren’t tied to a particular location and don’t even need to rent an office building (billion dollar company Automattic has a fully distributed workforce and no company office).

The software business is a great business to be in!

 

7 Reasons Software Developers Should Learn Marketing

1. Improved career prospects

The intersection of people with development skills and marketing skills is pretty small. Being in this intersection can only help your career prospects.

development marketing skillsAlso an in-depth understanding of software is very helpful when you are marketing software, compared to a marketer who doesn’t really understand software.

2. It’s not rocket science

The basics of marketing boil down to:

  • Find out what people want/need/will pay for.
  • Get people’s attention cost effectively.
  • Communicate what your product does.
  • Choose the right price.

None of these things are as simple as you might think, if you haven’t tried them. But its not rocket science to become competent at them. Hey, if the average marketing person can do it, how hard can it be? ;0)

3. Less reliance on marketing people

If you don’t have any marketing skills then you are completely reliant on your marketing people to do a good job at marketing the software you have poured your soul into. Are you comfortable with that? How do you even know if they’re doing a good job?

4. Number crunching

Developers tends to be well above average in their analytical and mathematical skills. Online marketing tools such as Analytics, AdWords and A/B testing generate vast amounts of data. Being good at crunching numbers is a big bonus for some aspects of marketing.

5. It’s interesting

When I started out as a professional developer some 30 ago, the thought of being involved in the sordid business of marketing would have appalled me. But, as I have got more and more involved in the marketing side of things, I have found it really rather interesting and creative. There is a lot to learn, including: pricing, positioning, customer development, segmentation, partnerships, email marketing, SEO, AdWords, social media and conversion optimization. I think of development as hacking computers and marketing as hacking humans.

6. Diminishing returns on development skills

The more time you spend as a developer, the better you are going to get at it. But you will run into diminishing returns. E.g. you won’t improve as much between your 9th and 10th year of programming as you did between your 1st and 2nd year. Learning a completely new skill avoids diminishing returns.

7. You’ll need it if you ever start your own software business

If you ever start your own software business you will quickly find that marketing skills are at least as important as development skills. So it’s a huge plus if you already have some marketing chops. Even if you have a VC sugar daddy who is going to give you enough money to hire marketing staff, you’ll still need some marketing skills to know who to hire.

If you are employed as a developer full time, I recommend you jump at any chance to get involved in marketing or go on a marketing course. I also run a training course for people wanting to start their own software business that includes a lot of material on marketing.

‘Start your own software business’ training course 2015

trainingI am planning to run my ‘Start your own software business’ training course again this year, probably in September. It is an intensive weekend course, at a hotel in my home town of Swindon (in the UK). It is aimed at people who want to start (or at an early stage of starting) a software company selling desktop or web software. It builds on my 10 years of experience running my own software company and consulting to other software companies. It’s the course I wish I had attended when I started my business.

I know a lot of courses are online now. But I think you get more from face-to-face training. More intensive. More interactive. Less distractions. Also you get to meet other people in the same boat. I have run the course twice before and the feedback was very positive. You find out more and read comments from previous attendees here.

Fill in the form on the training page if you are interested. I am happy to answer any questions in the comments, by email or on twitter.

The mystery of the Chinese downloads

A spider (probably not Chinese)It’s a good to idea to regularly look through the logs of your website. You’ll often find something interesting. In March 2013 I was looking through the web logs for my seating planner software and I noticed the number of downloads of the Windows version of my software had gone up by a factor of 5, compared to the previous month. Everything else stayed pretty much the same:

  • The number of visits to the download page hardly changed.
  • The number of completed Windows installs hardly changed.
  • The number of downloads of my Mac installer hardly changed.

Odd. On further investigation it turned out that a number of Chinese IP addresses were downloading my Windows installer again and again. My software is not localised into Chinese and I get very few sales from China. Also there were no installs from these IP addresses (my software puts up a ‘thank you for trying’ page when it is first run). It was a substantial increase in bandwidth, but not enough to be a serious denial of service attack. Very odd.

I am on an unlimited bandwidth hosting contract so I wasn’t paying for the extra bandwidth. But I was worried that the volume of requests would slow down my web site. So I put a .htaccess file in the downloads directory to block the worst offenders.

After a few months I got the bandwidth from China down from ~30GB per day to ~100MB per day. I have been playing this game of ‘whack a mole’ every since. Currently I have some 1700 Chinese IP addresses blocked.

downloads per month

PerfectTablePlan for Windows downloads per month 2013/2014

As an example I recently blocked IP 211.136.10.56, which was downloading PerfectTablePlan around 20 times per day, but never visiting a page on my website.

Here are the logs from one day (via Web Log Storming), picked at random before I blocked their IP:

logsAnd here is one of those records in more detail:

logWeb Log Storming classifies it as a ‘spider’.  whois.domaintools.com says the IP belongs to ‘China Mobile Communications Corporation’. The IP is not listed on projecthoneypot.org and I wasn’t able to find out any more from casual Googling.

To block the this IP I just added this line to my .htaccess file:

Deny from 211.136.10.56

But it is a bit of a nuisance to keep having to do this.

Other software companies are having similar issues. But I haven’t come across any compelling answers about why this is happening. Perhaps it is a way of masking some other nefarious activity? Does anyone have any idea what is going on?

Keyword Funnel is now FREE

Adwords Keyword FunnelI launched Keyword Funnel last year. It was only my second software product launch in 10 years. Keyword Funnel is a utility to help AdWords advertisers efficiently add hundreds or thousands keywords to their campaigns. It was based on some tools I wrote for running my own AdWords campaigns.

It was a commercial flop. I sold a few licences, but not many. Most telling was the lack of any engagement. There were very few emails from website visitors and not many people who visited the website downloaded the free trial. There wasn’t even much interaction from the people that did buy licences. This was very much in contrast to my PerfectTablePlan product, where there was much more engagement straight away.

I could have tried to pivot or push on through using some of the stuff I have learnt over the last 10 years, but it felt like kicking a dead horse up a hill. Better to focus my finite energy and resources on more fruitful areas. I also decided that I just didn’t like AdWords enough that I wanted to spend all day thinking about it (and that was before my recent falling out with Google). I didn’t want to take money from people for a product that had no real future and for which I had lost enthusiasm. So I pulled the plug within a few months of launch. But it seems a shame to waste the work that went into it, so I am re-releasing it as a free product in the hope that someone will find it useful and to increase my luck surface area. You’re welcome.

As far as I can determine, the reasons it failed are:

It didn’t solve a real problem for enough people. This is the reason most products fail. I like to run my AdWords campaigns with hundreds or thousands of ‘long tail’ keywords. I assumed that plenty of other people did to. And, if they didn’t, they would once they had a tool that made it practical to do so, especially in the face or ever increasing competition and bid prices. But not many other people seem interested in long tail campaigns. I should have researched this more.

The AdWords market seems to be sharply divided into amateurs (people running small campaigns for their own products) and professionals (people running multiple large campaigns for other people). The amateurs have a million other things to do and want to spend as little time as possible on AdWords. In fact most of them seem to set up a campaign and then completely ignore it (bad idea). The professionals are happy to spend hundreds of dollars per month on a tool, but they want it to do everything, including creating ads and setting bids. There doesn’t seem to be much of a market in between for low cost utilities, such as Keyword Funnel. I’m not sure how I could have found this out without trying to sell into this market.

I found it hard to get any traffic. I am not an ‘Internet famous’ authority on AdWords. I wrote to various AdWords bloggers offering them free licences. But most of them seemed to be associated with other AdWords tools and weren’t going to promote a competing tool. I also tried an AdWords campaign, but unsurprisingly the competition was very strong.  It was hard to get clicks at a price I could afford as competitors with more expensive products could afford to spend a lot more per click. Also conversion rates on the clicks I did get were poor.

The user interface wasn’t perhaps as intuitive as it could have been. I didn’t really think enough about workflow.

Failing is never fun, but I knew it was a very real risk when I started and I did learn some useful lessons.

Before I wrote any code, I tried to do some validation of the product by talking to friends and people at conferences who used AdWords, including some AdWords professionals. There seemed to be some interest and I managed to get 60 people signed up to the beta mailing list. But I found it hard to get people to understand my vision of the product. That should have been the first warning signal. But, being a developer at heart, I used that as an excuse to build a beta.

I did the validation back-to-front. I mostly pitched them my idea for Keyword Funnel and then tried to gauge their interest. That doesn’t really work very well. What I should have done was ask people what problems they were having with AdWords and then waited to see if any of them mentioned ‘adding lots of keywords’, ‘grouping keywords into ad groups’ etc.

As I released new beta versions of the product, the initial interest seemed to peter out. I probably should have killed it at this point. But I persuaded myself that, having come this far, I might was well release it (paying customers being the only true validation). This was more down the the ambiguous nature of the feedback than sunk cost fallacy.

I followed my own advice and cut some corners in the development, but not enough. The planned 2 months part-time, ended up being 6 months part-time. I wasted time on activities such as: having a logo designed, writing licensing code, writing detailed documentation and setting up payment processing. In retrospect I should have waited until I was sure there was a market for Keyword Funnel before I bothered with any of that. When I launched my new Hyper Plan product I released a public beta within 5 weeks of starting work on it (part-time). I offered it free for several months (it just died on a certain date). I only added licensing code and set up payment processing when I felt there was sufficient interest to justify the effort. Hyper Plan just has a 1 page quick-start guide and the logo was designed in 10 minutes by me (both still on the ‘to do’ list to improve soon).

It is hard to get noticed in a new market. I knew this already, but perhaps I had forgotten how much hard work it was in the early days of PerfectTablePlan. As I already have an audience of thousands of event planners with PerfectTablePlan, it is much easier to cross-sell them Hyper Plan than it would be to create that audience from scratch.

Having had one successful (in my terms) product, I was perhaps a bit arrogant and didn’t spend as much time researching the market as I should have done. But validating a software product is hard, especially when it’s a bit different to everything else out there (I’m not interested in copying existing products). I had no real idea how successful any of my products would be before I launched them. PerfectTablePlan was much more successful than I expected. Keyword Funnel much less successful than I expected.

While the opportunity cost of Keyword Funnel was quite high, in terms of cash, I only spent a couple of thousands dollars. This was mostly on the website design and I reused a lot of that for Hyper Plan.

You can download Keyword Funnel here. Despite its lack of commercial success, it does (I think) do some pretty cool things:

  • Cleans up lists of keywords which you can import from various sources (e.g. removes foreign characters, capitalization and duplicates).
  • It has a nice keyword multiplier (much better than the Google equivalent IHMO).
  • Removes an unwanted keyword from all phrases in a single click.
  • Allows you to analyze all the phrases a keyword appears in.
  • Groups keywords into related ad groups.
  • Produces output in a form you can read straight into AdWords via AdWords Editor.

It’s completely free, you don’t even have to give me your email address. Maybe I will find a way to make some money off it at some point in the future (NB/ I am not interested in taking on AdWords consulting work at present).

Thankfully my new Hyper Plan product is doing much better than Keyword Funnel did. I wrote a bit about my approach to launching Hyper Plan here. It is too early to tell if it well do as well as PerfectTablePlan, but I am very happy with how it is doing so far.