Friday, March 6, 2015

Safely use IndexedDB in iOS 8


I'm in a situation where users of my app ScoreGeek are filling up the 5MB limit imposed on LocalStorage and I need to switch to IndexedDB.

Upon making the switch I found that iOS and IndexedDB is seriously buggy when it comes to non-unique keys (it deletes values across separate tables if they share the same key...  jaw dropping bad bug).

I have a workaround that does essentially this:

1)  Whenever you set an object from IDB you pass the existing object ID and the table name

2)  The table name, original ID and variable type are used to create a unique string

3)  The unique string is used as the new key.  The original key is appended to the object as "origKey".

4)  When you get an object you pass the table name and key again.  That is used to find the object.  Then the "origKey" value is set back to the keypath and the object is returned.

Using this method no two tables will ever have the same key, so the iOS bug is avoided.

If you must sort numerically by ID then you will want to create an Index for origKey and sort using that. You can also create a KeyRange for origKey to find specific values or ranges.

Hopefully this will help other people who are pulling their hair out over this.  I have tried to comment out any lines that are specific to my code (like the Toast.toast stuff) but I haven't run this code standalone.

Here is the code:


var idbConvertId = function(id, table) {
    var s = "?";
    var sKeyPath;
    if (typeof id === "string") {
        s = "s";
        sKeyPath = id;
    } else if (typeof id === "number") {
        s = "n";
        sKeyPath = id.toString();
    }
    sKeyPath = sKeyPath.replace(/\//g, "[[[fs]]]");
    id = table + "/" + s + "/" + sKeyPath;
    return id;
};

idbRevertId = function(obj, keyPath) {
    obj[keyPath] = obj.origKey;
    delete obj.origKey;
    return obj;
};

var idbSetObj = function(obj, table, callback) {
    var value = JSON.parse(JSON.stringify(obj));
    var db = myIndexedDB.db;
    if (db) {
        try {
            var trans = db.transaction([table], "readwrite");
            var store = trans.objectStore(table);
            var keyPath = store.keyPath;
            value.origKey = value[keyPath];
            value[keyPath] = idbConvertId(value[keyPath], table);
            var request = store.put(value);
            trans.oncomplete = function(e) {
                callback(true);
            };
            trans.onabort = function(event) {
                var error = event.target.error; // DOMError
                if (error.name == 'QuotaExceededError') {
                    // Fallback code comes here
                    Toast.toast("Storage quota exceeded, some data was not saved");
                } else {
                    Toast.toast("Transaction " + err.name + ": " + err.message);
                    //console.log(err);
                }
            };
            request.onerror = function(e) {
                Toast.toast("Request " + err.name + ": " + err.message);
                callback(false);
            };
        } catch (err) {
            Toast.toastMiniLong("Store " + err.name + ": " + err.message);
            CloudAll.abort = true;
            callback(false);
        }
    } else {
        callback(false);
    }
};

var idbGetObj = function(id, table, callback) {
    var db = myIndexedDB.db;
    if (db) {
        var trans = db.transaction([table], "readonly");
        var store = trans.objectStore(table);
        var keyPath = store.keyPath;
        var keyRange;
        id = idbConvertId(id, table);
        keyRange = IDBKeyRange.only(id);
        var cursorRequest = store.openCursor(keyRange);
        var ret;
        cursorRequest.onsuccess = function(e) {
            var result = e.target.result;
            if (result) {
                ret = result.value;
                ret = idbRevertId(ret, keyPath);
                callback(ret);
            } else {
                callback(null);
            }
        };
        cursorRequest.onerror = function(e) {
            callback(false);
        };
    } else {
        callback(false);
    }
};

var idbFindObjs = function(tableName, keyRangeObj, indexName, maxRecords, sortOrder, callback) {
    var count = 0;
    var max;
    if (maxRecords === 0) {
        max = 100000000;
    } else {
        max = maxRecords;
    }
    var objs = [];
    var db = myIndexedDB.db;
    var ret;
    if (db) {
        var trans = db.transaction([tableName], "readonly");
        var store = trans.objectStore(tableName);
        var keyPath = store.keyPath;
        var cursorRequest;
        if (!indexName) {
            cursorRequest = store.openCursor(keyRangeObj, sortOrder);
        } else {
            var myIndex = store.index(indexName);
            cursorRequest = myIndex.openCursor(keyRangeObj, sortOrder);
        }
        cursorRequest.onsuccess = function(e) {
            var result = e.target.result;
            if (result) {
                ret = result.value;
                ret = idbRevertId(ret, keyPath);
                objs.push(ret);
                count++;
                if (count < max) {
                    result.continue();
                } else {
                    callback(objs);
                }
            } else {
                callback(objs);
            }
        };
        cursorRequest.onerror = function(e) {
            callback(Globals.empty);
        };
    } else {
        callback(Globals.empty);
    }
};

var idbFindObjKeys = function(tableName, keyRangeObj, indexName, maxRecords, sortOrder, callback) {
    var count = 0;
    var max;
    if (maxRecords === 0) {
        max = 100000000;
    } else {
        max = maxRecords;
    }
    var objs = [];
    var db = myIndexedDB.db;
    if (db) {
        var trans = db.transaction([tableName], "readonly");
        var store = trans.objectStore(tableName);
        var cursorRequest;
        if (!indexName) {
            cursorRequest = store.openCursor(keyRangeObj, sortOrder);
        } else {
            var myIndex = store.index(indexName);
            cursorRequest = myIndex.openCursor(keyRangeObj, sortOrder);
        }
        cursorRequest.onsuccess = function(e) {
            var result = e.target.result;
            if (result) {
                objs.push(result.primaryKey);
                count++;
                if (count < max) {
                    result.continue();
                } else {
                    callback(objs);
                }
            } else {
                callback(objs);
            }
        };
        cursorRequest.onerror = function(e) {
            callback(Globals.empty);
        };
    } else {
        callback(Globals.empty);
    }
};

var idbDelObj = function(id, table, callback) {
    var db = myIndexedDB.db;
    var trans = db.transaction([table], "readwrite");
    var store = trans.objectStore(table);
    var keyPath = store.keyPath;
    var new_id = idbConvertId(id, table);
    var request = store.delete(new_id);
    trans.oncomplete = function(e) {
        callback(true);
    };
    request.onerror = function(e) {
        callback(false);
    };
};

var idbDelObjs = function(tableName, keyRangeObj, indexName, maxRecords, callback) {
    var a;
    var id;
    idbFindObjKeys(tableName, keyRangeObj, indexName, maxRecords, 'next', function(keys) {
        var l = keys.length;
        var delIt;
        delIt = function(id, tableName) {
            idbDelObj(id, tableName, function(success) {});
        };
        for (var i = 0; i < l; i++) {
            a = keys[i].split("/");
            id = a[2];
            if (a[1] === "n") {
                id = parseInt(id, 10);
            }
            delIt(id, tableName);
            if (i === (l - 1)) {
                if (callback) {
                    callback(true);
                }
            }
        }
        if (l === 0) {
            callback(true);
        }
    });
};

And here are some of the ways I 've been using it:

this.findAllLocations = function(callback) {
    var tableName = "Locations";
    var keyRange = null;
    var indexName = null;
    var maxRecords = 0;
    var sortOrder = 'next';
    idbFindObjs(tableName, keyRange, indexName, maxRecords, sortOrder, function(results) {
        callback(results);
    });
};

this.deleteLocationById = function(name, callback) {
    idbDelObj(name, "Locations", function(success) {
        callback(success);
    });
};

this.findBreakdownByScore = function(score_id, callback) {
    var tableName = "Breakdowns";
    var id = idbConvertId(score_id, tableName);
    var keyRange = IDBKeyRange.only(id);
    var indexName = 'scoreId';
    var maxRecords = 0;
    var sortOrder = 'next';
    idbFindObjs(tableName, keyRange, indexName, maxRecords, sortOrder, function(results) {
        callback(results);
    });
};

Wednesday, October 15, 2014

How to Preload Audio in PhoneGap


I just spent days making a simple buzzer in an iOS app!  You push a big red button and it plays a buzzing sound.

Actually, it took about 20 minutes to get it working, but there was a 1-2 second pause after pushing the button before the sound would play, which is unacceptable.

So of course I googled Preload Audio Phonegap and the found a bunch of plugins that claim to do that.  Implementing them was time consuming and no matter what I did I just couldn't get them working.

Then I thought: I wonder what will happen if I just play the file once at zero volume to preload it?

Well, folks, that's all it took.  I feel so foolish for wasting my own time; maybe this post will help you not waste yours.

function playAudio(src, preload) {
  //requires Cordova Core Media plugin
  //src is the path to the file in your www folder
  // for example, audio/buzzer.mp3

        function audioSuccess() {
            console.log("[AUDIO]: Created " + src);
        }
        
        function audioError(msg) {
            console.log("[AUDIO]: Error " + msg);
        }
    
        // Create Media object from src
        my_media = new Media(src, audioSuccess, audioError);
        
        // Play audio
        if (preload === true) {
            my_media.setVolume(0);
        } else {
            my_media.setVolume(1);
        }
        my_media.play();   

}

Tuesday, September 23, 2014

Firefox OS: Converting a camera image to a base64 encoded image URL


I'm porting my apps ScoreGeek and Easy Password Storage to Firefox OS, and ran into some issues with saving images returned by the camera or gallery picker.

The problem is that I am used to Android and iOS returning a base64 image URL, but Firefox OS returns a blob URL that points to a local location on the device, like this:

blob://alksdjfoasdi029alfiasfjalsia93lrahsfhaslekfhasfe

You can load that URL into a image tag's source and it displays, but you can't resize it, save it, send it to another device, or even keep it around after you turn off the phone.

My objective is to save it as a Base64 encoded image URL and then put it into LocalStorage or push it to my cloud server to be downloaded by other devices.

After days of fooling around with FileReader I gave it up and found the correct approach: use a picker to get the photo data (as a blob:// url), load the blob URL into an image, then copy the image data to a canvas, and convert it to a Data URL.  The result is a base64 encoded image URL that can be saved on the device.

I've copied the relevant functions from my code below, but it will require some modification to run in your environment.

I hope this helps someone else with the same problem!

var devicePlatform = getDevicePlatform();

var pick = new MozActivity({
                        name: "pick",
                        data: {
                            type: ["image/png"]
                            }
                        });
                        
                        pick.onsuccess=function() {
                            var res=pick.result;
                            // Create object url for picked image
                            var photoURL=window.URL.createObjectURL(res.blob);
                            gamePicSuccess(photoURL);
                        };
    
                        pick.onerror = function() {
                          console.log(this.error);

                        };

gamePicSuccess: function (imageData) {
        var $el = $('#imgGameImage'); //jquery variable pointing to the element where the image will be displayed
        
        if (devicePlatform === "FirefoxOS") {
            var elDom = document.getElementById("imgGameImage");
            function myLoad() {
                elDom.removeEventListener('load', myLoad); // to avoid a loop
                var imgCanvas = document.createElement("canvas"),
                imgContext = imgCanvas.getContext("2d");
                imgCanvas.width = elDom.width;
                imgCanvas.height = elDom.height;
                imgContext.drawImage(elDom, 0, 0, elDom.width, elDom.height);
                var imgAsDataURL = imgCanvas.toDataURL("image/png");
                $el.attr('src', imgAsDataURL).load(); 
            }
            
            elDom.addEventListener("load", myLoad, false);
            
            $el.attr('src', imageData).load(); 
        }
        

    };

function getDevicePlatform() {
    //console.log("getDevicePlatform");
    var device;
    var deviceArray;
    var userAgent = navigator.userAgent;
    //console.log(navigator.userAgent);
    //userAgent = "Mozilla/5.0 (Mobile; rv:14.0) Gecko/14.0 Firefox/14.0";
    if (userAgent.match(/(iOS|iPhone|iPod|iPad|Android|Windows Phone|Mobile)/)) {
        deviceArray = userAgent.match(/(iPhone|iPod|iPad|Android|Windows Phone|Mobile)/);
        //console.log(devicePlatformArray);
        device = deviceArray[0];
        if (device === "Mobile") {
            deviceArray = userAgent.match(/(Firefox)/);
            device = deviceArray[0];
            if (device === "Firefox") {
                device = "FirefoxOS";
            } else {
                device = "Browser";
            }
        }

        if (device === "iPhone" || device === "iPod" || device === "iPad") {
            device = "iOS";
        }
        if (device === "Windows Phone") {
            device = "WinPhone";
        }
    } else {
        device = "Browser";
    }

    return device;
};

Friday, January 17, 2014

Windows 8 Microsoft Account Login Complaints

I think that using a Microsoft Account as the method to login to a computer is bad security.

I have been trying to shore up the security of my online accounts recently.  The way I've been doing it is to use my password manager, Easy Password Storage, to create random passwords for each of my website accounts.

Then, when I need to visit a website, I open Easy Password Storage and copy my password to the clipboard so that I can paste it into the website I'm visiting (I try to use at least 36 random characters to prevent brute force attacks, which means I don't know my passwords by memory any more).  The app makes this easy by launching the appropriate URL and copying my password to the clipboard so that I can paste it into the website's login form.

Window 8 allows me to set up my PC login using my Microsoft Account.  The problem is that when I'm logging into a computer I need a password that I can remember because I can't access my app to copy and paste my password when logging in to my PC.

My Microsoft Account protects much more than just my PC login: it protects my apps, my financial data, email and more.  I want a secure password, but there's no way I can remember 36 random characters each time I launch Windows.

I think the solution here would be to have a separate PC login password when using your Microsoft Account to log into your PC.  The chances of anyone at Microsoft reading this blog are slim, but I suppose it could happen....

Until then I think there are some alternatives, like using a PIN or a picture password...  they don't seem very secure to me either but I guess it's the only option if I want a very secure password for my Microsoft Account.  Maybe someone can recommend a more secure method in the comments?

Easy Password Storage, by Rebrand Software, LLC is currently available at the following locations:



Thursday, January 16, 2014

Securing Your Online Identity After Being Hacked

The other day my Twitter account @MikeKGibson was hacked.  The attacker sent out messages to everyone who follows me with URLs to other twitter users' status updates, which in turn were links to suspicious websites.

Luckily, I caught it within an hour before the hackers had a chance to tweet something like "I like to #SniffMyOwnButt" on my behalf.  I tweeted my followers warning them not to click on the links.

But, worst of all, the attackers now have access to my password, giving them easy access to any other website where I used the same password.  Let's be honest, many of us use the same or similar passwords on all our website accounts.

If your own passwords are ever compromised ("before your own passwords are compromised" may be more accurate) here are steps you can take to minimize the damage by using a password manager app like my own Easy Password Storage.

The idea is not only to create strong passwords that cannot be brute forced, but to use a unique password for every website you visit.  That way one stolen password cannot be used to access any account but the one that is hacked.  You never know which big company is going to be hacked, or which website stores your passwords in plain-text.

Here is how I use Easy Password Storage to deal with this:

  1. Each time I create an account on a website I open my password manager, Easy Password Storage
  2. I add the account to my list and use the password generator to generate a random password with as many characters as possible.  I aim for at least 36 random characters if it is allowed by the website.
  3. I turn off "Save password" features of the browser.  It's a pain to lose this feature, but it's so easy for a hacker to gain access to them (have you ever tried typing "chrome://settings/passwords" in Chrome, for example?)
  4. When I know I'm going to visit a website that will require a password, like my bank, I tab over to Easy Password Storage, select my bank entry, and click the Launch button.  This copies my long, random password to my clipboard and opens my bank's URL.  Now I can simply paste my password in.
  5. I have Easy Password Storage set to erase my clipboard 30 seconds after I copy my password for extra security.
I won't lie, it's more time consuming to create random passwords for each website, but I suspect it's nothing compared to the time I would have to spend changing passwords and recovering accounts after a major hack.

Once you have put a system like this in place it means you no longer know your own passwords from memory.  It's important that you have access to your passwords on all your devices.  That's why Easy Password Storage has cloud sync as well as offline import/export ability.  

As a developer I have all sorts of computers (Mac, Windows, iPad, Android Tablet, Android phone) where I need to have access to my passwords, and Easy Password Storage keeps them encrypted and synchronized automatically in the Cloud.  For more information, here is an article I wrote on Using Easy Password Storage in the Cloud.

Luckily, my Twitter password was unique and can't be used to hack my other accounts. I recommend you put a similar process in place with your own accounts now: it's much easier to deal with hackers now, before they have a chance to get into your bank account or trick people into thinking you #SniffYourOwnButt.


Easy Password Storage, by Rebrand Software, LLC is currently available at the following locations:


Tuesday, January 14, 2014

Using Easy Password Storage in the Cloud


Easy Password Storage is my password management app which has been receiving great reviews like:
"This is the best password app at the app store. You have to have it!" -The Bold Man, Mac App Store

"It’s simple, easy to use, high level of encryption and is fast, so not waiting ages for logins or anything. Very handy, I’d be lost without it." -dbirch, Mac App Store

Version 4 recently unveiled cloud support and mobile companion apps for the following platforms:

iOS / Android / Kindle / Windows Phone / Mac OS X / Windows (links to app stores below)

This version comes with the ability to synchronize passwords between all of your devices in the cloud. I want to touch on some of the ways you can benefit from using the free cloud service on your devices.

  • Backup: Even if you don't have multiple devices to synchronize you can still benefit form having an encrypted backup of your passwords in the cloud.  If you drop your phone in the toilet and replace it with a new one, just install the app and your passwords will be restored.
  • Similar Device Sync: One copy of the iOS app will work your iPhone, iPad and iPod as long as you're using the same apple account.  Add a password on one and it shows up instantly on the others.
  • Sync cross-platform: Add passwords on your iPhone, they show up on your Kindle Fire and your Windows Desktop versions of the app.
  • Easily switch phones: If you decide to switch from your Android phone to an iPhone in the future, no problem, your passwords will come with you.
Security is our number on concern.  Here is how the app handles your data before sending it to the cloud:
  1. Your passwords are encrypted by the app with your private Master Password with your choice of either Blowfish 448 bit or Advanced Encryption Standard (AES) 256 bit encryption. 
  2. Next, the app encrypts that data with our developer key using 448 bit encryption.  Now your data is doubly encrypted.  
  3. That data is encoded for extra security and ease of transfer
  4. A connection to the cloud server is established over an HTTPS connection
  5. The data is encrypted in transit to our cloud server using SSL
  6. Your private Master Password is never sent to the cloud or stored anywhere.  That means we can't access your passwords (and unfortunately means we can't recover them either, so remember your Master Password!)
  7. All that is done in reverse when the data is sent back to your devices.  Only an app with the same username, master password and encryption type can decrypt your data, and the user must be signed into your cloud account as well.
Even with that level of security you may still decide you want to backup or sync your data offline, which is why we have included the ability to import/export passwords encrypted in file or text format. The app can run completely offline and still keep your passwords synchronized.

Here are all the devices and app stores where Easy Password Storage is currently available:


iPhone/iPad/iPod - iTunes

Mac OS X - Mac App Store

Windows/Mac OS X -  Direct from RebrandSoftware.com

Windows Phone

Android - AppsLib

Thursday, April 25, 2013

Recovering From Accusations of Malware

Introduction


Here is the story of my 8 year battle against false reports of malware in my software, how I eventually won that battle, and how you can ensure the same thing doesn't happen to your website or products.

The Beginning: Can one person make an effective anti-spyware product?


In 2005 my software company was two years old, I had a good number of customers, and people were hungry for more private label software.  The economy was great and I had a lot of requests to create new private label applications.

In particular, there were many requests for anti-spyware and anti-virus products.  However, I always turned them down citing the inability to maintain a good definitions database.

Eventually, I found a way that I could maintain a definitions database for spyware (not antivirus) by creating internal software that sourced information about files from the web, meaning I didn't need a team to maintain definitions.

With that, I created what I think was a fairly good and safe anti-spyware product that I called Ad-Purge.    Upon release it sold well and people seemed to like it for a light-weight spyware solution.  However, because of the crowd sourced definitions it was prone to false positives: if a lot of websites thought a file was spyware then Ad-Purge did too.

The Spyware Warrior on the Offensive


Within a few months of release Ad-Purge was labeled as a "rogue anti-virus product" by a person who called himself Spyware Warrior.  I, of course, was appalled.  I wrote to him trying to clear my name; I made changes to the software to make it more consumer friendly; I kept a close watch on the definitions to avoid false positives, but Spyware Warrior was determined that I created the product with bad intentions.

I eventually decided that Mr. Spyware Warrior was simply a jerk and went back to what I enjoyed: writing software instead of spending time trying to appease him.  This was a mistake, for the spyware community took his opinions as fact causing Ad-Purge, and worse my website, to show up on many different blacklists and malware sites.

In 2008 I was forced to simply discontinue Ad-Purge in order to avoid being caught up in any more of these false accusations.  Eventually the false positives went away for the most part and business resumed as usual.  I continued to sell the private label version but made sure my customers could not repeat my mistakes.  In particular, I turned down many requests from my customers to make the demo version detect spyware but not remove it until the software was purchased in full.

Five Years Later


Recently, in 2013, I became aware that my website and business had extremely negative reviews on a crowd sourcing security website called Web of Trust (WOT).  Upon closer inspection I discovered that we had some good customer reviews but the vast majority listed us as a malware website!

Here is our current Web of Trust page: http://www.mywot.com/en/scorecard/rebrandsoftware.com

I began by replying to each of the user reviews that cited malware and asking them to reevaluate their ratings.  They were helpful but reluctant to change their rating unless I had my software removed from various website reputation scanners, for example:

URL Void: http://www.urlvoid.com/scan/rebrandsoftware.com/
Virus Total: https://www.virustotal.com/en/url/88a6e...

These tools list scan results from various security software vendors.  If any of the vendors think your website is malicious then it is a bad sign.

RebrandSoftware.com was listed by over 20 different vendors as being a distributor of malware.  When I contacted some of the vendors they made circular references: we can't take you off our list because you're listed on URL Void.  Obviously I couldn't get removed from URL Void without them first taking me off their list.

The Solution


What I had to do was track down every suspicious file or URL that was being tracked by these vendors, make sure it was actually safe, and use all of their false positive reporting tools to contact them individually.

I noticed when scanning my software executables that VirusTotal.com thought many of my programs written in Visual Basic 6, our older programming language, were spyware.  As a simple test I recompiled the software on an updated system, resigned our executables and installers, and uploaded the new copies to our website.  This took care of about 75% of the false positives.  I don't know what they were keying on, maybe an old VB6 .dll file, but I suspect that those files are used by potentially millions of applications written in the early 2000s that are also being falsely accused of being spyware.

Next, I went through all the URLs on our site that were flagged as malicious.  Many of them were old URLs that are not even in use, pointing to blank pages or error messages.  It seemed that many of the vendors never bothered to check what was actually at the URL they were condemning, they simply found it listed by other vendors and added it to their own database.

Armed with the knowledge that everything on my website was safe I began submitting false positive reports to the antivirus vendors.  Sometimes you have to sign up and post on a forum, sometimes there is a false positive submission form, and sometimes you have to download the company's product and register your email address (sketchy).

Most vendors removed the false positives right away, but many took no action or used more circular logic.  I wonder if they actually look at the content of files and URLs or they just crowd-source their definitions like I did... lesson learned.

When it came down to only 4 or 5 websites reporting malware I resolved to contact them every day, repeatedly, until they responded.

I have also been tracking down blog posts which list us as a malware distributor and leaving comments that explain what my company does.  A quick look at my website shows that my apps are highly rated on places like the Mac App Store and the Windows Store, meaning they have been scrutinized and vetted by companies who hopefully would never let malware into their systems.

Are My Customers Malicious?


I wonder how, after the 2008 incident, all this started up again and I suspect that I have a small number of customers who are actively using my rebranding services to create fake programs and distribute viruses with them.  I rebrand our software for other companies to sell, and I suspect that some of my customers must be modifying the executables after I deliver them.

I don't have a good way of knowing whether it is deliberate or not.  It's certainly possible that one of my customers had an infected computer, purchased clean software from me, downloaded it, it was infected on their computer, and then they tried to distribute it.  Obviously this is a bad practice and all software should be verified clean before distribution.

One sure indicator of a fraud is when I am paid hundreds of dollars for a product and the purchaser seems to take no interest in their final product's quality.  They will upload poor quality images even though my artist can create professional graphics for them for free.  Sometimes they provide URLs which are dead or point to an unregistered domain.  Then their payment will be charged back and I know the whole thing was a ruse.  Was this someone with malicious intent or just someone trying to use a stolen credit card?  Maybe both?  I don't know.

I've learned to spot those obvious cases, but I certainly can't tell a person's intentions from their normal transactions with me.  It is against our terms of service for our customers to do anything illegal with the software purchased from us, including distribute malware or engage in scamming.  The vast majority of my customers are people interested in making money with shareware or trying to offer a bonus product to their customers.  Having software with your name on it can impress clients, make your website more legitimate, create more sales for other products when packaged, etc.

I don't think it's up to me to judge people's intentions.  All I can really do is respond to any inquiries by anti-virus vendors.  

The number of anti-virus vendors who have contacted me in the past 10 years about my software or my customer's?  Zero.

In the end I simply decided to discontinue the anti-spyware product entirely.  I will continue to update the definitions database for the legitimate customers who vastly outnumber the potentially bad ones.

My Name Is Cleared, Kinda


Now, finally, I have been removed from every major website credibility reporting tool and most anti-virus vendors.  One vendor, AlienVault, responded to my technical support request with a phone call from a sales rep.  When I asked him if the support team knew how I could report a false positive he asked them and responded "They don't know but they're looking at like 7 monitors right now."  Ugh.

I have bookmarked my WebOfTrust, URLVoid and VirusTotal pages and intend to check them frequently.  If you have websites or distribute shareware I highly recommend you do the same.  These anti-virus vendors are not going to contact to you if your site or products get falsely accused.  And worse, if any false positives start making the rounds they are sure to be amplified by security vendors copying each other's records.  It's something that has to be stopped immediately or it spreads out of control.

Web of Trust currently reports that my website is trusted, but only barely.  My hope is that their users will reevaluate my website and change their scores.  I'm also going to start promoting Web of Trust on my website so that my actual customers can report their good experiences.  If you have a moment, I sure would appreciate a positive rating there: http://www.mywot.com/en/scorecard/rebrandsoftware.com

Now, hopefully, I can get back to what I really love: writing apps!