We're a small 4-man team working on an indie games marketplace.
Like several previous posters before us, we are having trouble with the Windows Defender Smartscreen blocking our app. The most common message is "File is not commonly downloaded" but sometimes it also reads something like "Windows Protected your PC."
We've received a number of complaints from our users about the Smartscreen warning message, and it's badly hurting our efforts with user acquisition.
In accordance with previous threads we found on this topic, we have tried
Code Signing - we sign our code through DigitCert, and have done so for nearly 5 months; the message has not gone away. As we use AWS for our servers, we don't have any way to use an EV Code Signing hardware token.
Microsoft Code Review - We submitted our files to Microsoft for Malware analysis. The analysis came back clean, even with a note saying they could not reproduce the warning, and yet, both our own testing and our users confirms the Windows Defender message is still happening.
Becoming a Microsoft Partner - Unfortunately, even after getting approval and confirmation, absolutely nothing has changed.
Everything I can find online about getting our app whitelisted is about whitelisting specific programs from the user side -- not very useful for convincing people we're safe to download. There are two threads on Stack Overflow that link to a blog article which has since been removed. Microsoft, Amazon, and DigitCert support have all been less than helpful.
My questions are:
1. Is Amazon CloudHSM a substitute for EV Code Signing? As stated above, we can't use a hardware token, but I have to imagine that AWS has some kind of substitute. We've never re-issued the serial on our current code signing cert, but I can't imagine 5 months is a normal turn-around time.
2. Does hosting the download link on our own domain make a huge difference? Currently, the download link leads to an AWS bucket. One website said that could potentially slow things?
3. What else are we supposed to do? We're not a large team and we're kind of stretched thin as it is. If anybody has any suggestions we haven't tried yet, I'm all ears.
Related
I have two windows computers, both using the Microsoft Edge browser. When I'm typing on the Overleaf website, the connection gets lost every 2-5 minutes. What's worse, some unsynced sentences are gone when the connection resumes. I'm not sure whether this is a network problem since all other websites look good, including Twitter and Gmail. I wondered if this is about the framework of what Overleaf cloud service used. Could anyone give some tips about the issue here?
I have problem signing into Microsoft account from my local account on my machine. This used to be my work laptop I have bought it after I left company. I could sign in on my domain user without any problems. Since I left domain I lost this account.
I am trying to "Sign in with Microsoft account instead" option in Accounts->Your info. After I enter my Microsoft account credentials and insert my local user password I get message "Oops something went wrong. Whatever happen it was probably our fault". Good one Microsoft.
Also similarly when I try to add account to Calendar app I end up with same problem, but here I got more information: "You will need the internet for this. It doesn't look like you're connected to the internet. Check your connection and try again. 0x800704cf". This led me to check Network troubleshooter and this error came up:
Your computer appears to be correctly configured, but the device or
resource (www.microsoft.com) is not responding
Contact your network administrator or Internet service provider (ISP)
Completed Windows can't communicate with the device or resource
(www.microsoft.com). The computer or service you are trying to reach
might be temporarily unavailable.
I have tried many ways how to fix this. (Flush DNS, reboot router etc..), but I am pretty sure that my problem is not with my internet connection. It works perfectly fine, also note that I was able to check this with 2 internet providers with same result. Also another thing is, that this works perfectly fine with other devices in our household.
For me it looks like system don't see microsoft.com. Only thing I am able to work with is One drive.
I am pretty sure I would be able to fix this by resetting Windows 10, but I don't want to loose my installed programs (and licenses).
Any advice will be appreciated. I really ran out of options.
After doing many many thing, only thing that helped was resetting PC. It always does help.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I had to "sporadically" work with Heimdal / MIT Gssapi for kerberos authentication over past couple of years. I had to build an application that was to be used as a web-service running on a Linux box, and serve client applications like browsers, running on Windows and/or Linux Desktops and Workstations. Surely not the easiest of beasts to tame. Eventually when summarizing my work, I could record that the difficulties emanated due to challenges in multiple dimensions. Getting started with gssapi programming is truly a challenge just because of poor documentation, and practically non-existant tutorials. Googling mostly results in either some theoretical discussion on what's kerberos, or leads to content written with presumption that you already know everything besides some particular semantic issue.
Some really good hacks around here contributed to help me, I therefore suppose it would be a good idea to summarize the stuff, from a developer's perspective, and share it here as some sort of a wiki, to give something back to this fantastic place, and fellow programmers.
Haven't really done a wiki like this before, and I am surely no authority on GSSAPI nor Kerberos, so please be kind, but more than that please contribute and correct my mistakes. Site Editors, I am counting on you to do your magic ;)
Getting your project completed successfully will require 3 specific things to be done correctly:
Setup of your test environment
Setup of your libraries
Your code
As I said already, such projects are beasts, just because all the three haven't been put together on the same page anywhere.
Ok So let's begin at the beginning.
Unavoidable theory for a newbie
GSSAPI helps a client application to provide credentials for a server to authoritatively identify the user. Extremely useful because the server applications can modulate their served responses if they wish to, as per the user. Very naturally therefore both - the client and the server applications must be kerberized, or as some would state kerberos-aware.
The kerberos based authentication, requires both the client and server applications, to be members of a Kerberos Realm. KDC (Kerberos Domain Controller) is the designated authority that rules the realm. Microsoft's AD servers are one of the most popularly experienced examples of a KDC, though you can of course be using a *NIX based KDC. But surely without a KDC there can be no Kerberos business at all. Desktops, Servers & workstations joined into the domain identify each other as long as all of them remain joined into the domain.
For your initial experiments, setup the client & server applications in the same realm.
Though Kerberos Authentication can surely be also used across realms by creating trusts between KDCs of these realms, or even merging keytabs from different KDCs that do not trust each other. Your code will not really need any change to accommodate such different and complex-sounding scenarios.
Kerberos Authentication basically works via "tickets (or tokens)". When a member joins the realm, the KDC "grants tokens" to each of them. These tokens are unique; time and FQDN are essential factors for these tickets.
Before you even think of the very first line of your code make sure you have got these two right:
Pitfall #1 When you setup your development and test environment, make sure everything is tested and addressed as FQDN. For example if you want to check connectivity, ping using FQDN, not IP. Needless to say therefore, they must necessarily have the same DNS service configuration.
Pitfall #2 Make sure all the host systems - that are running your KDC, client software, server software have the same time server. Time synchronization is something that one forgets, and realizes to be amiss after a lot of hair-splitting, and head-banging!
Both, the client and server applications NEED kerberos keytabs. So if your application is going to run in a *NIX host, and be a part of a Microsoft Domain, you have to get a kerberos keytab generated, before we start to look at the remaining preparatory steps for gss programming.
Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability at is an absolute must-read.
GSS-API Programming Guide is an excellent bookmark.
Depending upon your *NIX distribution you can install the headers & libraries for building your code. My suggestion however is to download the source and build it yourself. Yes, you might not get it right at one go, but it surely is worth the trouble.
Pitfall #3 Make sure that your application is running in an Kerberos aware environment.
I really learnt this the hard way, but maybe because I am not so smart. In my earliest stages of gssapi programming struggle, I had discovered that kerberos keytabs were absolutely necessary for making my application kerberos-aware. But I simply couldn't find anything about how to load these keytabs in my application. You know why?!! Because no such api exists!!!
Because: The application is to be run in an environment which is aware of the keytabs.
Ok, let me make this simple: Your application that is supposed to do the GSSAPI / Kerberos things has to run after you have set environment variable KRB5_KTNAME to the path where you have stored the keytabs. So either you do something like:
export KRB5_KTNAME=<path/to/your/keytab>
or make use of setenv to set KRB5_KTNAME in your application sufficiently before the very first line of your code that uses gssapi is run.
We are now ready to do the necessary things in the application's code.
I understand there are quite a few other aspects that must be reviewed by the application developer, to write and test an application. I know of a few environment variables, that can be important.
Can anybody please shed some more light upon that?
I'm currently developing a mobile app using Sencha Touch 2 and Phonegap. It's a game where you can "check-in" at some places and get some points every time you do a successful one (as in Foursquare).
I'd like to make it impossible for a clever guy (for example, someone that has decompiled my apk) to execute the REST web service (for example, mywebservice/checkin?access_token=abcde&latitude=12345&longitude=6789) with his computer or any other device outside of the app.
Do you have any idea of how I could achieve this ?
Thanks a lot,
In absolute terms, what you are looking for is impossible - if the app on the device contains the key and code necessary to send a valid message, and the device allows the user to decompile apps, then anyone can theoretically reverse engineer it and send whatever messages they want.
In practical terms though, it isn't worth worrying about - nobody will put that much effort into it, and you can probably detect accounts with suspicious activity fairly easily. Just use https and a simple token from the app code to stop anyone who can see the network activity but won't go as far as digging into the app code.
Couple options (depending on your exact scenario):
Bake user info and the app key into the security API key. This would ensure only valid account holders can use the API. Take a look at OAuth
Monitor per account or per connection service activity and look for any suspicious patterns. For example, if the app is operating in user think time then you would expect low numbers of calls per second.
I'm working on an online reservation system (the details aren't really relevant to my issue). It's mostly developped in C# with framework 4.0. I have a DB which contains, among other things, the products and the availability of these products. The DB is accessed by a web service, the latter being queried by a web application, which in turn sends the information to be displayed to the browser. Nothing too fancy in term of architecture, but I don't have much experience with that kind of system. This projet is quite old; it's been in development for a few years and I just hopped in six months ago, having no web programming experience before.
I'm currently experiencing concurrency problems. If I open two browsers window (any browser), enter the same query in both windows and post on both pages as fast as humanly possible, I get unhandled exception in my web service. One of the client gets the data, the other receives an error. EDIT : Also, I tested using two different computers simultaneously, and I still could get the unhandled exception.
I was able to trace the problem back to a cache system that was implemented almost a year ago. There's is no locking mecanism, and the cache uses a Dictionary (which is not thread-safe). A few Stack Overflow questions helped me in pinpointing the problem and how I should correct it (this one and that one for example).
That being said, I'm trying to reproduce the problem without having to manually click in two browser windows and hoping to get the right timing to access the same cache simultaneously. The reason I'm trying to do that is that I don't like implementing a solution that should work when I can't reliably prove it actually worked. Also, there's a lot of places where the cache has been (badly) implemented, and I'm not sure I can test all those places by "guessing" the right timing manually.
So, I downloaded Apache JMeter, and using Fiddler2 hooked up to my two browsers, I could find all the HTTP requests I needed to create a Test Plan that sends exactly the same requests.
But to my dismay, JMeter couldn't reproduce the problem, even if I set my Thread Group to create 40 concurrent users! Each one of them receives the data correctly, and none triggers the unhandled exception I am getting by doing it manually. I know it's not a cookie issue, nor a difference in user-agent, as I tested with multiple browsers and with disabled cookies. As the HTTP requests were created directly from Fiddler2, it shouldn't be an issue with hidden fields or URL rewriting, and there's no dynamic field names or content involved. I know Fiddler2 has a "replay" function, but even that couldn't reproduce the problem. This baffles me to no end.
So, my questions are : why can't I reproduce the problem with JMeter? Is there a better tool than JMeter (which is quite complete for a free software) to do that? What are the browsers doing that Jmeter doesn't do (apart from rendering the page, which is really not the issue here)?
Any thought would be much appreciated!
When you say 2 Windows are you sure they use 2 sessions, depending on the browser and the way you open the second window you won't get 2 sessions.
Are you sure you reproduced all the trafic between browser and server ?
If you have more than 1 request then you should Check if it's not 2 parallel Ajax requests from the browser , if so you must know That Without some custom scripting jmeter does not reproduce those 2 parallel request for same session(except for resources download), That might be your issue .
Regards
Philippe M.
http://www.ubik-ingenierie.com