Why does ScriptMaster call home?

[madhatt]

So, I recently purchased the license for ScriptMaster and so far I really like it.... Except for one major issue.

 

 

I am trying to find out why my SM plugin is trying to call home every 30 seconds 24/7!

 

I have verified this with Wireshark. 

Every 30 seconds the plugin tries to reach https://secure2.360works.com or https://venus.360works.com

 

I have reached out to 360works to try to find out what the heck is going on.  Below are the questions they need to answer.

• What information is being sent in these "call home" messages?
  • Does it send the exact same information with each transmission?
• Why does your plugin "call home" every 30 seconds? (verified via wireshark and a 3 minute capture after opening up filemaker but no databases)
• What happens if I continue to block the plugins ability to "call home"? (I've been blocking this plugin's call home feature since I discovered it and have not seen any ill results)

 

This is of great concern to me after the recent news of the US government spying on it's own people came to light.  This traffic is encrypted so I have no idea what 360works.com is trying to gather from me.  Furthermore, it really doesn't matter because if the communication is encrypted, how can I trust what I'm told is inside the transmission?

 

I can somewhat understand the software calling home to verify the registration number I entered at the time of registration but I can think of no valid reason why an upstanding company would be doing this.

 

 

Any thoughts?

[madhatt]

Well, 360works reached out to me to answer my questions.  I don't really like the answers and feel as though this should have been clearly explained prior to my purchasing the software... but oh well... At least there's Little Snitch to block crap like this.

 

• What information is being sent in these "call home" messages?
  • licensing information: license key, registered to, product code, version, release date

  • FM environment information: application version, multi user state, ip address, system NIC address, system platform

So.... they collect all sorts of information about my system!  on par perhaps with the NSA?!?

 

• Why does your plugin "call home" every 30 seconds? (verified via wireshark and a 3 minute capture after opening up filemaker but no databases)?

  • The information is sent with the initial request then a heartbeat is sent every 30 seconds.

I'm not sure why anyone would need this data every 30 seconds... I mean, I own thousands of dollars of software from Adobe and they aren't this crazy!

 

• What happens if I continue to block the plugins ability to "call home"?

  • Once the plugin sends the initial registration request and the request is successful the plugin can be used offline.  However, some of our products are licensed per seat, in those cases we cannot accurately verify user count without the heartbeat and this can result in erroneus ‘user limit reached’ licensing errors.

 

 

So there you have it folks...  To be a 360works customer you have two choices...

1. Allow 360works.com to harvest your information on a never ending 30 second cycle
2. Take the extra step of blocking the traffic either with software (Little Snitch) or by editing you hosts file.

 

While I love the scriptmaster plugin I would never have bought it had I known about this egregious privacy violation!

[David Jondreau]

Excellent work! Is your version of SM paid or free? I wonder if this is true for SuperContainer, etc.

[David Wikström]

Haven't had the time to confirm this myself, but if this is indeed the case, I'm also wondering what the impact on performance is.

 

And of course, we really need to hear from 360Works on this one!

[Jesse Barnum]

360Works plugins talk to a licensing server when they are first launched to validate the license key, and to ensure that the product is not exceeding the maximum number of licensed users.

 

In addition, when the plugin is shut down, it sends a signal to the license server asking it to decrement the count of connected users.

 

However, if that's all we did, then any unexpected shutdown would leave an orphan record showing a connected user, which would cause the count of connected users to be incorrectly higher than it should be. That's why we send a heartbeat signal every 30 seconds - if the license server does not receive this signal on a regular basis, it knows that FileMaker exited unexpectedly, and it decrements the user count.

 

Here is the data payload that we receive when the plugin connects. There is no personal data in here. This particular example is for ScriptMaster:

 

Section 1:

<LicenseCheck><RegisteredTo>[changed]</RegisteredTo><LicenseKey>[changed]</LicenseKey><ProductCode>48</ProductCode><MajorVersion>1</MajorVersion><MajorReleaseDate>1279166400000</MajorReleaseDate><VersionString>4.201</VersionString><ExtraInfo></ExtraInfo><FmEnvironment><Platform>Windows 2003</Platform><JavaVersion>1.7.0_21-b11</JavaVersion><Architecture>x86</Architecture><Language>en</Language><Country>US</Country><ApiVersion>52</ApiVersion><AppType>3</AppType></FmEnvironment></LicenseCheck>

Section 2:

<ApplicationVersion>ProAdvanced 11.0v2</ApplicationVersion><HostApplicationVersion>Server 10.0v2</HostApplicationVersion><HostIPAddress>[changed]</HostIPAddress><MultiUserState>2</MultiUserState><SystemIPAddress>[changed]</SystemIPAddress><SystemNICAddress>[changed]</SystemNICAddress><SystemPlatform>1</SystemPlatform><UserCount>0</UserCount>

 

We carefully engineered this to use minimal resources. The heartbeat signal is sent out by a background thread that only wakes up once every 30 seconds and uses just a few milliseconds of CPU time before going back to sleep. Since it's on a separate thread, it will not block the main thread from running, even if it is unable to communicate with the server for some reason. It also uses an extended HTTP keepalive socket so that it's not having to re-connect to the server for every request.

[Josh Ormond]

For licensing of this type of product...I don't see this as intrusive nor excessive.  Other software does similar.  Try opening the same Adobe program on 2 different computers on the same network!!! It does something similar.  FileMaker itself also does the same thing using Bonjour. 

 

This is nothing like the "government spying" that you are referring to. Any networked software, in some way "spies" on network activity.

[john renfrew]

Thanks for the detailed answer Jesse.

[truelifeajf]

There's more personal information about you in the sidebar of your user info in this forum.

[Claus Lavendt]

Jesse, good idea to explain what is happening.

While it makes good sense to have this thing going for your products, that is licensed on seat basis, SM is not license this way….

So, why is it enabled in SM ?

And, will generated plugins from SM also behave like this ?

I have purchased the SM advanced license and use my generated plugin in almost any solution I create.

However, I do have a couple of customers with really "crazy" network admins, and it would be nice to know, if my generated plugin also makes these "call-home" calls….

[Jesse Barnum]

The free version of ScriptMaster does not call home (as far as I know, I haven't reviewed the code recently). The advanced version of ScriptMaster is licensed this way - it's only valid for a single user.

 

I don't remember how it works for SM generated plugins - I'll check and let you know.

[Claus Lavendt]

Hi Jesse

 

Thanks for fast response...

 

Just found another thread, where it seems that we got the answer….

 

http://fmforums.com/forum/topic/89269-scriptmaster-v-4205-update/

 

Am I right, that generated plugins does not "call-home", as the version history states that this is removed from v. 4.205 ?

[Jesse Barnum]

That's right. I couldn't remember whether I had done that or not, so I'm glad you checked.