Wednesday, June 16, 2010

The mysterious relationship between credit cards and your REAL Studio license key

This past April I wrote about how companies accepting payment via credit card are being required to use a higher level of security (SSLv3). This is better known as PCI compliance. Most of you don't have to deal with this at all and will simply benefit from having your credit card number stolen less often. Actually, while I applaud the increased security, most credit card numbers are not stolen this by sniffing packets on a network, especially one using SSL. They are often stolen the old-fashioned ways (dumpster diving, for example, is a very common method).

But one way this could affect you (as I mentioned in the April blog post) would be if you have developed an application that connects via SSL to a web server that is also processing credit card payments. When that server is updated to SSLv3, your app may need to be updated as well. See my April post for more details on that.

One such application is any version of REAL Studio/REALbasic prior to 2010 release 2. We will be updating our web server to SSLv3 soon (we are required to by July 1st) and when we do, these older releases will no longer be able to connect to our server to verify your license key should you need to re-install it. But never fear. We have a solution. Should you need to reinstall your license key for REAL Studio/REALbasic 2010 r1 or earlier, please contact customer service and they will provide you with instructions. It's a very quick process. And we will reply back to your requests promptly.

I apologize in advance for the inconvenience. We, like all other companies that accept payment via credit card, are required to do this. REAL Studio 2010 Release 2 is already set up to handle SSLv3 so once you are up to date to this version or later, you will no longer have to deal with this problem.


Anonymous said...

Hi Geoff
I found the cocoa post very interesting but now you've buried it after a couple of days under another entry and I bet you won't blog again for ages!
Same thing happened a while back.

Amando said...

Hi Geoff,

I am really astonished by this post. I really can't believe RealSoftware is working hardly on more DRM or security systems rather than working on promised features such as Cocoa and other projects that has been postponed for ages without any single post on your part on this blog.

While I had my licenses renewed and payed a lot of money, I never received any information about the promissed features your company sold us, keeping many customers to trush you on new features that never arrived.

Now you inform us about a new anty.piracy feature that has zero benefict on devs that are renewing their subscriptions and expecting features that are promissed for ages and are always on the 20% of last development, while you inform that a feature that is not of really top-notch to customers is ready.

In the same way I expect a real plan of what is promissed and what is get by customers. IMHO, instead of informing what a company expect from their customers (piracy, etc... ) give us a roadmap of features. Bug Fixing is your fault. Do not pretend customers to pay your bugs and lack of quality results on us.

I, as a customer with some licenses, let me know when DLLs and DyLIBs will arrive, when CoCoa is bug free, when no bugs are re-entered, if you want my money go back to RealStudio.

You tell us about your new DRM. Brilliant. What else?

Are your company expecting us to pay for secret features or bug fxes for ages?

I am really sad to pay to bug fixing (while I payed) and no new significant aditions has been done to RS without knowing any single feature.

This is not a MMORPG where you pay for skills nor spells.We need a bug free compiler that goes on with the trend as others such as Unity3D that each release we got an amount of new features and even software by free.

Now there are some other crosss compile solutions, and even top notch engines such as BigWorld (AAA on MMORPG) are charging $299 on their croos platform AAA engines for a year!

Time to think twice about this. Sadly, English is not my native language and I am sure I have done a lot of mistajes. Still, I wont change my mind on RS while you release info about a DRM and not Cococa, DLLs, etc.

I would like to use RS to on another engines, have a clear roadmap, let us know about changes and avoid the 90 days features for bugs. We want new features. Don't pay for your faults. If the car I buy is broken, it's not my fault.

I can't imagine why is Java used on most platforns, and can't use RealStudio to write software instead of a free language as Python, Boo, Javascript, etc.. DLLs an DyLybs for ages!

All are cross-platform


Thom McGrath said...

Um, we didn't mention anything about a new DRM. The SSL changes are server-side as mandated by the credit card companies. It just so happens that a bug in HTTPSocket set the ConnectionType property wrong, so older versions won't speak to SSLv3 servers. It is nothing more complicated than that.

Keanu Grieves said...

It seems to me simply using a different server for credit card processing and one for license verification would allow those of us that don't leap right in to the latest version of the IDE to transition at our own speed.

I'm paid and up to date for at least 12 more months, but what about those who are sticking at version 2010R1? Must they in future activate by phone?

Thom McGrath said...

Unfortunately, putting our secure services on a different server is very impractical.

Gary MacDougall said...

"If the car I buy is broken, its not my fault."

Funny, I keep telling my 18 year old son that if he keeps driving it around like it never needs oil and doesn't lay off beating it up, he won't be happy with the repair bill when it breaks down. He'll be happy to know that in Amando's world, it wasn't his fault.

PCI and credit card security is not an optional thing for merchants like Real Software. They face heavy fines and penalties if not obeying the rules..

I doubt RS is forgoing any features or fixing bugs to ensure our credit cards are safely handled. This is merely an important thing that as a business who charges credit cards MUST do by July 1.

Amando is like most Europeans that I run into in this field, completely oblivious to the credit card rules and regulations. Europe is living in a different world when it comes to all this stuff and they take a far different approach to the world of commerce... Thats not to bash europeans, thats only to point out that Amando completely missed the boat of the post and I suspect most non-American businesses would read this post as the same...

Andy said...

@Gary, whilst Armando does seem to have misunderstood some things, I am with Keanu in being disappointed that RS are not prepared to provide infrastructure for older versions to be validated without having to talk to technical support.

It might sound petty to say I object to staying up late to call the US (doubt if it is a toll-free call from Australia) but it also means I can't rely on older versions working if I'm doing a demonstration or switching between versions.

In the worst case, it means if I find myself (as in the past) working on multiple older versions of RB I have to keep multiple machines going and licensed simultaneously.

Geoff Perlman said...

Andy, if you have an idea as to how we can reasonably accomplish the goal of making older releases continue to validate their license keys the way they have in the past and still provide for the PCI compliance we are required to support, I'm all ears.

Anonymous said...

@Geoff: Offer retro-patches (SSL upgrade) for every release needed. You owe it to your customers.

ebaum said...

I just got bit by this. Working on a weekend to meet deadline and now I'm stuck waiting for you to respond? Not cool.

Write a utility app to handle revalidation for older releases. It can use SSLv3. Make it available 24/7 on your website. I'd be happy to use a workaround as long as one exists.