LimeLM
wyBuild
Support forum
wyDay blog
wyDay Home

The wyDay blog is where you find all the latest news and tips about our existing products and new products to come.


wyDay blog

Archive for the ‘Programming’ Category

TurboActivate and TurboFloat 4.1 are now out! This release is a huge leap forward in quality and features and sets the foundation for the new product releases that will be rolled out over the next 2 months.

So, wait no longer: get the latest TurboActivate and TurboFloat on your API page.

If you’re not already a LimeLM customer, sign up now for free!

Here are the big “marquee” features of this release:

NodeJS support

NodeJS & Electron logos

We’re proud to be the first commercial licensing to offer true hardware-locked (a.k.a. node-locked) licensing and floating licensing (a.k.a. concurrent licensing) for NodeJS. This means it’s easier than ever to sell your NodeJS and Electron apps. You can write in pure JavaScript and let us handle all of the platform-specific details that need to be figured out for fast and accurate licensing.

Learn more over in our “Using TurboActivate with NodeJS or Electron” article (for hardware-locked licensing) and our “Using TurboFloat with NodeJS or Electron” article (for floating licensing). These articles and the accompanying example apps will show you everything you need to know to add true node-locked and floating licensing to your NodeJS app whether you’re on Windows, Linux, macOS, or FreeBSD.

Which brings us to our next big feature:

Full, native FreeBSD support

BSD logo

In addition to supporting the “big 3” operating systems (Windows, macOS, and Linux) with this 4.1 release we’ve added support for FreeBSD! All of our products now run natively on FreeBSD 10.x and above (no Linux compatibility layer necessary).

You can download the latest versions on your API page in LimeLM.

TurboFloat Server behind HTTPS

HTTPS lock

Prior to this release of TurboFloat Server version 4.1, the TurboFloat Library and TurboFloat Server only “talked” over encrypted raw binary. This was perfectly fine when the TurboFloat Server was behind a corporate firewall and all of the “clients” existed in the same network.

Things got trickier when a corporate end-user decided to host their TurboFloat Server on a public facing computer and their employees ran your app from different networks. If they had a “direct” connection to the server running the TFS instance (whether on the same network or through a VPN), then everything worked fine. But things are rarely so easy in a corporation. Inevitably communications would need to go through a labyrinth of proxies. And, unfortunately, proxies rarely support “raw” transmitted data.

The solution is letting your app (using the TurboFloat Library) talk to the TurboFloat Server over HTTPS. Read more about how to do it here: Configuring TurboFloat Server for HTTPS communication.

Now corporate clients with complicated proxy setups (or anyone else) can have all of the communication happen over HTTPS.

Better client-side trial fraud detection, real-time trial expiration

We’re also excited to add improved client-side date/time fraud to the timed-trials functionality in TurboActivate. We improve client-side fraud detection with every release of TurboActivate, but this version took a leap forward.

Additionally, we’ve added a new function “TA_SetTrialCallback() that gives you real-time notifications of trial expirations and fraud. This means there’s no more need to “poll” TurboActivate functions for the life-time of your process. Just, call that function once, and let TurboActivate handle it.

More consistent Linux ARM builds

arm logo

Prior to this 4.1 release we made the following ARM builds of our products:

  • armv4t, 32-bit little-endian, soft-float

  • armv7-a, 32-bit little-endian, soft-float

  • aarch64, 64-bit little-endian, soft-float

But we’ve found this doesn’t match the use-case for most of our customers on these platforms, so we’ve added “hard-float” version for everything other than the armv4t target, and we’ve added an armv8-a, 32-bit build. So, here’s our new targets:

  • armv4t, 32-bit little-endian, soft-float

  • armv7-a, 32-bit little-endian, hard-float

  • armv8-a, 32-bit little-endian, hard-float

  • aarch64, 64-bit little-endian, hard-float

What this means in practice is that you can sell your app and target distros like Raspian (and all other popular arm-based distros) without having to re-target your app for “soft-float” support.

A ton more…

In addition to the big features listed here, we have a ton of quality improvements and tweaks to provide a better experience for all end-users. Read a condensed list of changes here for TurboActivate and the changes for TurboFloat.

Roughly a year ago we made a change to how the LimeLM web API functioned. We changed the behavior from allowing API calls to originate from any device anywhere in the world, to only allow 1 device to use an API key. We did this for security reasons, which I’ll explain in-depth in a moment. But the side-effect was that this made our web API harder to use.

And we didn’t make this change blindly. We knew that this change would both increase our customer’s data security but it would do it at the expense of their ability to easily use our API.

Naturally, this caused outrage among some of our customers. Both because we made this change and because we made the change rapidly (over the course of about 2 weeks with short notice).

What our API does, and why we changed enforcement

LimeLM is our software licensing product. Companies integrate our components and libraries into their software so they can sell their software accurately to their end-customers. After a company integrates our components into their software, the typical workflow looks something like this:

  1. An end-customer buys the software from the company.

  2. The company sends them a product key.

  3. The end-customer activates the software to that device using that product key. (Locking it to the device).

None of those steps requires using the LimeLM web API, but you could use the web API in step 2 to automate the product key generation.

Since the launch of LimeLM about a decade ago we’ve always told customers to treat the LimeLM API key as a password and never embed the key in any apps or client-side JavaScript. We started with a big warning directly under the API key on the settings page (which is still there), and more recently we’ve added a full article devoted to account security.

Needless to say, many customers outright ignored this advice. Some were just careless with their API key and included them in public repositories and scripts accessible from outside their companies. Some just deliberately ignored our advice and embedded their web API key directly inside their apps that they gave to their customers. Thereby giving everyone with access to their app-binary access to their LimeLM account.

Enforcing the rule: limiting API keys to a single IP address

The proverbial straw that broke the camel’s back for this whole situation was when we saw unusually high web API usage from a particular web API key. It turns out this customer (a large software company) had embedded their web API key directly in their app. We investigated the abnormal API key-usage and saw that the key was being used from all over the world. It didn’t look like this customer’s data was being leaked, but there was so much noise in the data that we could not tell.

We immediately told them what we saw, re-iterated that a web API key should never be embedded inside code that runs on the end-user’s computer, and we invalidated that API key.

Then we kept digging. And over a short period of time we saw some of our other customers making the same mistake. We notified them as well, blocked those API keys, and quickly implemented a 1-ip address per API key rule. And that’s where we’ve been for the past year or so.

A slightly more flexible future

In the near future (after we get out some higher-priority releases) we’re going to make the web API key usage slightly more flexible. Namely, we’ll allow an API key to be used from 3 to 4 IP addresses in the period of 72 hours. Meaning if you have a small pool of servers that uses static IP addresses this upcoming change will make things easier for you.

In the meantime these customers can create a new user (and thus new web API key) for every separate static IP address they need to use.

We will never allow more than a handful of IP addresses to use any single web API key. Some have requested we enable a range of IPs that include whole services (e.g. AWS). We will never do that. All modern services offer static IP addresses for all of their services. Even so-called “serverless” (🙄) servers (like AWS lambda or Azure cloud functions) have options to use static IP addresses. Google the particulars for your web-host of choice.

In the coming months we’ll make a few separate product announcements that will eliminate the need for most common web API calls in the first place. Thus eliminating these problems (and the need for separate servers) altogether. These solutions will be rolled out gradually.

Why do we care?

Why do we bother implementing any limit at all? It pisses-off some of our customers and it scares away other customers. The reason we do it is simple: we’re responsible for your customers’ data. Yes, these people are not our customers. But their data is in our servers and we need to ensure that that data is only transmitted to trusted end-points. By limiting API calls from a select number of IP addresses this forces you, as our customer, to consider your customers’ data safety and to properly implement data collection and transmittal.

Or, to put it another way: we actually take security seriously. So rather than implementing terrible security and writing a tepid PR-apology when data leaks, we’re proactive and go out of our way to ensure data doesn’t leak. It’s hard work and it sometimes requires usability trade-offs, but it’s what a serious software company should do. Namely, take data security seriously in the first place.

It’s not a perfect solution, but it’s a better solution than telling our customers to do things correctly (and hope & pray they do). How do we know? Because we tried that and a large number of our customers ignored us.

If you have questions, comments, or complaints about this policy shift, then feel free to comment down below.

– Wyatt O’Day
Founder & CEO of wyDay

We’ve just released TurboActivate 4.0 and TurboFloat 4.0. With these new releases comes some huge improvements and features. Read on for details, or if you want to jump right in, get them on your API page; it’s free for all LimeLM customers (whether you’re on the free plan or one of our paying plans).

No-click verified trials

Probably the biggest visible feature of this release is the new verified trials functionality in TurboActivate. This means you can offer trials to your users that are verified with our servers, cryptographically-signed, and locked to that machine, all without having to give your customers a product key ahead of time.

Per-seat licensing

What this means is that a potential customer can download your trial software from your website, and begin using the trial immediately. All of the “magic” of starting the trial for the machine, and making sure customer changes to the machine don’t “reset” the trial, are handled by TurboActivate and our proprietary computer-fingerprinting algorithm.

Don’t need to collect an email address

With our new no-click verified trials in TurboActivate 4.0, there’s no need to collect email addresses of customers. They can just start your app and TurboActivate & LimeLM will work behind the scenes to start (or resume) the trial of your app.

Trials can’t be reset

Another feature about our new no-click verified trials is the fact that the customer can’t reset them. Even if the customer completely wiped their hard drive, re-installed their operating system, and re-installed your app, the proprietary hardware-fingerprint algorithm in TurboActivate & LimeLM knows that the computer has already started the trial, and the user will continue exactly where they left off.

You can extend a customer’s trial at any time, and do it an infinite number of times

There are no limits to how many times you can extend the trials for potential customers.

Real-time tracking of trials

One of the benefits of this new no-click verified trial system is the ability to track in real-time who is trying your app, how long they used the trial, and how many people are trying it.

A ton of verified trials per-plan

All of the plans now have a verified trial limit based on the assumption that about 5% of trial users convert to be paying users. For example, the “Solo plan” (the $11/month plan) has a 300 activation limit, and a new 6,000 verified trial limit (meaning 6,000 different computers or devices can use the verified trial of your app).

Improved fingerprinting technology

Our hardware fingerprinting technology has gone through 4 major iterations (and countless minor iterations) over the past decade. This latest iteration is our best by far (and is a major leap over our last iteration). We’ve eliminated all known real-computer fingerprint false-positives and false-negatives on Windows, Mac OS X, and Linux.

We’ve put a lot of work and testing in this latest iteration to make sure your customers have a great experience using your app.

New thread-safe design

In previous versions of TurboActivate only a single thread in your app could use the library functions. Now any thread in your app can use the TurboActivate functions and TurboActivate internally handles the access controls.

Per-seat licensing

Added in TurboFloat 4.0 is the ability to limit exactly which username on which platforms can request license leases from the TurboFloat Server. Read more about per-seat licensing here.

Per-seat licensing

Full IPv6 support

All of our products now completely support IPv6, all while maintaining full compatibility with IPv4. This means you can use TurboActivate, TurboFloat, and LimeLM in any environment and know it “just works”.

New TurboFloat examples for Delphi and VBA

TurboActivate and TurboFloat work with any programming language or scripting language. But we like to write example apps and help articles to speed along our customers’ development. The two newest examples added to the list are for TurboFloat: Delphi (7 and newer) and VBA (Visual Basic for Applications) for Windows and Mac OS X.

Tons of behind-the-scenes fixes and speedups

We dedicate a lot of time making online activation as fast as possible for the end-user. This means if we can trim off a millisecond here or a millisecond there we will. And we’ve been doing that steadily over the past year, making the speed of the activation about twice as fast as it was this time last year.

Also, we’ve significantly improved our throughput capability (meaning we can handle many, many more activations and verified trials per-second).

This is by no means the end of the line. We have a ton of speedups coming over the next year. The faster we make the activation and verified trials processes the happier your customers will be.

Bug fixes galore

In addition to all of the new cool features, we’ve been chipping away at bugs. See the following links for a full list of features and fixes:

We’re not done – not by a long shot!

This year we’re making a whole slew of improvements to every one of our products. And we’ll be rolling them steadily. The next big update is coming to the LimeLM web interface. It’s old, it’s ugly, and it desperately needs some love. So that’s what we’re going to focus 100% of our concentration on over the coming months. And instead of rolling it out in one “big update”, we’ll roll it out gradually.