Strongbox Frequently Asked Questions
How does it work?
No, really, how does it work?
It generates a cryptographically secure time limited one time pass tied to certain identifying characteristics of the users browser. That's about all I'll say on that subject until the patents are secure.
The Strongbox security system sounds like everything I'm looking for, and therefore, too good to be true. But I understand that you are well-known in the adult internet business, and that's encouraging.
I have been around a while (since 1997) and I think you'll hear from other people that what I say about the product can be relied upon. I also try to be sure to mention the less positive aspects, such as it being a bit of a pain to set up.
Is it a flat one time fee, or per month? Are there any setup fees?
The license/setup fee is a flat per site, with no monthly charges. This includes 30 days free email and telephone support. The forum and wiki are always free, of course. For sites with greater support needs, it's become necessary to offer a support offer for a small *yearly* charge. This is very inexpensive compared to services that provide much less functionality and charge a much higher monthly fee. Some people wonder why it's so inexpensive if it's so good. There are two reasons. First, we use and believe in free software such as Linux. We can't give the Strongbox security system (tm) away free and still pay the rent, but we do believe in giving webmasters the best deal possible. Secondly, our pricing reflects the fact that most webmasters trust my judgement and simply place an order, without needing several hours of meetings or phone calls to make a decision. In the corporate world it is common to spend far more time in discussions than actually doing anything. Thus many vendors prices reflect the fact that they expect to spend several hours with you regarding each purchase. We don't write formal proposals and we don't have meetings, so we can charge only for the actual program. (Ongoing support IS available, but very extensive support may be charged separately.)
How long does it takes to install strongbox?
Often we can get it done the same day if we get your order by 3PM CST. We generally tell people two to three business days, though, because some installations may take longer at times. Installation can sometimes be delayed if your web host doesn't respond promptly to something that is needed, such as if your server is configured to now allow CGI scripts we'd have to wait until your host fixes that.
What kind of support is included in the annual support contract? Does this consist of "chatting" or going to the "box" and changing the config if necessary?
Paid support includes pretty much whatever you might need - you can call and talk to the developer, if needed, or we can call you, we can change configuration for you, or fix the system if it gets broken in an improperly executed server move or something like that. The 30 days free support includes the kind of minor support you would probably expect. Again phone support is available. With
the free support we encourage people to learn about the system so that you can most effectively use it without assistance, so for example we may answer a question by sending you illustrated instructions on how to do something as opposed to just doing it for you and leaving you not knowing what we did or how we did it. After the 30 day period, we ask people who have not paid for continuing
support to use the online owners' manual and the web based forum before contacting us, and we may charge a small labor fee for work that needs to be done.
So, does strongbox work with the .htaccess file?
The Strongbox security system does NOT use the old fashioned .htaccess directives like "AuthUserFile" and "require valid-user". The Strongbox security system DOES use its own special directives in a .htaccess file.
Does it require a special login page?
Because of the weaknesses inherent in the old fashioned "mod_auth" grey box pop-up, the Strongbox security system replaces that system with one in which the user actually logs in through a special login page and thereafter the Strongbox security system recognizes the user based on their session ID and system fingerprint. See the above question "How does the Strongbox security systemtm compare to PennyWize?".
I'm assuming that the Strongbox security system will run on Linux/Apache. Is it a compiled application? A set of mod_rewrite rules? PHP or Perl?
The Strongbox security system is designed for Linux and Apache and is also running on BSD systems. The normal installation consists Perl scripts, rewrite rules and just a bit of self-compiling C code. There is also an Apache module version available for specialty uses.
I understand the Strongbox security system produces a log file of sorts. How do you configure it? Or will I be able to alter its configuration after you've installed it?
It does produce a log of logins for each site, which by default is in the the Strongbox security system installation directory. This log generally remains very small and thus doesn't require any maintainance. The only configuration option for the log is its location. Like all configuration, that is set via a simple variable in config.pl. For more information, please see our reporting and member management module.
Does the Strongbox security system require a connection to your server, like older IP counting systems? When my existing service goes down it takes my site down with it.
Unlike less capable systems, the Strongbox security system runs entirely on your server and does NOT depend on a connection to our servers. I believe it's totally unacceptable to create a situation where your members can't login to your site just because the company providing your password monitoring service is down.
Update - the optional origin country analysis and reporting and real time proxy detection systems make use of our high speed servers, but do NOT depend on them being available. If our server was down for some reason, your users could still login normally. The Strongbox security system simply would not make use of origin country analysis during the downtime. As the Strongbox security system is the only known system to ever do use this analysis, leaving that part out just makes it three times as effective as other systems rather than four times as effective, like it normally is.
My current system, for which a pay a monthly fee, often disables legitimate members of the site. Does the Strongbox security system do that a lot?
That has been a big problem with the old "band-aid" services for years. In part, it's due to their approach of trying to patch up the holes inherent in the basic username / password authenticate method. Kind of like trying to plug the holes in a chain link fence, it doesn't work very well and there are often errors. By replacing that old chain link fence with a modern wall of protection, the Strongbox security system is not limited by the old system, which was specifically designed to be insecure. It can therefore be far more accurate about which requests to allow and which to block. For example, the Strongbox security system can analyze which countries login requests are coming from, something that the monthly fee services cannot do because of the hit-by-hit analysis which their old fashioned approach requires.
Also, the Strongbox security system doesn't just permanently kill a username when it sees the first signs of possible abuse. Unlike the clumsy services that you may be accustomed to, the Strongbox security system takes a more measured and precise approach. The Strongbox security system has two stages of defense for shared passwords. When it detects a username/password that has probably been compromised, it suspends that username temporarily. At that point it also takes action to reduce the potential load put on your server should there be an extremely large number of people hitting your server, trying, (and failing), to access with that username. If several more people continue to try to login with that same username, the Strongbox security system permanently disables the password. It then emails you to let you know that it has detected and taken care of the problem. That doesn't happen all too often because the password sites normally delete the username within an hour after the Strongbox security system suspends it.
What are these "open proxies" that people tell me the hackers use? ~or~ Besides replacing usernames and passwords with secure tokens, how is the Strongbox security system so much more effective than older IP counting systems?
An http proxy is a server that let's you surf the web through it. Your computer connects to the proxy and tells the proxy what page you want to see. The proxy gets the page for you and forwards it on to you. From the server's perspective, you are invisible - it only sees the address of the proxy. When people do a brute force, or "hurling", attack, they might use 20 different proxies, so the server sees the requests coming from 20 different IP addreses. They do this to fool older "naive" software, which merely counts how many times a certain IP has tried a different username and password. These older, simpler "patch up" systems will let each of the attackers IP addresses guess many usernames each hour, never recognizing that the guesses from the 20 different IPs are all coming from the same person and their brute force, or "hurling" software.
The Strongbox security system isn't so easily fooled. The Strongbox security system blocks these open proxies right away. There are some legitimate proxies. For example, AOL uses proxies so they don't have to have different IPs for each user. Legitimate proxies that you want to let through, though, are closed proxies - AOL proxies, for example, can only be used by AOL customers. Companies set up legitimate proxies so that only their employees or customers can access them. Script kiddies, hackers, and other undesirables don't pay for access to 20 different proxies from 20 different companies, of course. Instead they use servers that have been misconfigured or hacked so that anyone can use them as a proxy, or one of a couple proxies put up by nerfarious characters specifically for the purpose of allowing various kinds of wrong doing to be accomplished without showing the perpetrators IP address. These proxies which anyone can access are called open proxies. As they are often used by people attacking sites and rarely or never used by legitimate users, the Strongbox security systemtm blocks access from these open proxies. Note -
This proxy defense module was originally designed as an extra cost option to enhance the Strongbox security system's already high resistance to these types of attacks. We have decided to include this module as a free bonus with every the Strongbox security system installation right now.
What about upgrades?
How does the Strongbox security system compare to PennyWize?
First off, the Strongbox security system isn't really directly compareable to PennyWize or anything else out there that I know of. To explain why, I have to get a little technical. Before I do, let me point out that with the Strongbox security system there is no monthly fee and no reliance on someone else's server for your protection. Pennywize is an old solution to an old problem. The script kiddies, real hackers, and just plain password sites figured out how to beat PennyWize around 1999-2000. As more and more password sites and software did their end runs around PennyWize, we began developing the Strongbox security systemtm as the next generation in security.
Now for the technical part:
Pennywize and similar services are needed because most web sites today use something called "Basic Authentication", which is implemented in a part of Apache called "mod_auth". This "Basic Authentication" is the system where the gray box pops up asking for your username and password. When the designers of mod_auth first released the design for that system, they were very careful to point out that it was not intended to be secure. It was intended to be a very basic system that could be used to put a password on your stats page until something better was designed. One major weakness is that Basic Authentication - the pop up gray box - does not distinguish between the two main phases that you learn about in security 101. The first day of a computer security course you'll hear about the two phases of "authentication", making sure the user is who they say they are, and "authorization", checking if they are allowed to access this particular page, etc. The authentication phase is when they login, the authorization happens every time they view a page or image. With basic auth, they never login. Their username and password is sent by the browser every time it requests a page or image. Because they never actually login, you never get to thoroughly check them out. For example, the Strongbox security system can analyze which countries login requests are coming from, something that the monthly fee services cannot do because of the hit-by-hit analysis their old fashioned approach requires. There are a lot of other problems too, like the fact that the whole thing is based on a very short password that can be shared. Pennywize and similar programs try to tape up the holes in basic auth. That's a very tall order, because basic auth is built like a chain link fence - way too many holes to try to keep taped up. PennyWize and similar programs end up working like a burglar alarm inside the fence - trying to detect an intruder after they get in and then trying to deal with them after it's too late. The Strongbox security system, on the other hand, gets rid of the whole "basic authentication" fence and puts up a thick brick wall instead. It doesn't tape up any holes, because it throws that fence full of holes in the trash pile behind the woodshed and puts in it's own far superior system. PennyWize and similar systems are also easily defeated by proxy based attacks. See the above question about proxies.
Does it limit the user bandwidth wise? Or pageview-wise?
It doesn't limit on either page views or bandwidth. The Strongbox security system uses a much smarter approach. Normally, when people start talking about bandwidth limiting, what they are really wanting is some protection against "slurping", programs that bulk download your whole site. The Strongbox security system stops slurping directly, which is far more effective then bandwidth limiting, without the problems caused by bandwidth limiting. Neither page count or bandwidth limiting works, and both put a significant strain on your server tracking and recalculating bandwidth for each user with every hit.
You can't limit based on the number of files requested, because with thumbnail pages having 40 thumbs on a page it's perfectly normal for the user to request 120 files in one minute. You can't limit based on html pages, because the slurper isn't going to request all that many html pages, he's just going to grab every single pic from each of your gallery pages. Besides you gallery page URL may well be something.cgi or something.php. How is the script to know whether .cgi or .php is an html page or image? You can't limit on bandwidth because you want your user to be able to download a 150 MB mpeg, and get it downloaded as fast as his cable modem will allow. You don't, however, want to let that guy on a much slower connection to download 150 MB of pics every night. On top of all this, if you limit based on either of page hits or bandwidth, you only catch them after they have already done the damage! By the time you detect that they've downloaded 300 MB of stuff in the last hour and you want to kick them out, they've already hit you for 300 MB and put that strain on your server for an hour.
Not only have they strained your server for an hour with such methods, but there will always be a significant strain caused by your protection scheme. Every single time someone requests a page or image the system has to take that information and analyze it with respect to all of the other hits over the last hour to see if the person is over their limit. The Strongbox security system uses a much smarter approach. The Strongbox security system blocks slurping software based on the fact that it is slurping software and not a human, often within seconds of the time they start slurping, before they've even downloaded 1 MB. The the Strongbox security system anti slurp algorithm is well described by looking at every part in that definition - "slurping software and not a human". The Strongbox security system looks to see if it's slurping, hitting every link on the page. the Strongbox security system also looks to see if it's software as opposed to a human. Software extracts links, humans click links. If the link was extracted programatically, they are blocked. If the link was clicked, they are not blocked.
Do you have a product that will monitor and limit bandwith?
Throttlebox is a seperate product that does more intelligent throttling than something like mod_throttle. Available separately for a one time fee, there is a discount when you get the combination of both Strongbox and Throttlebox. So the combination of Strongbox and Throttlebox saves money. It's a single one time payment, NOT per month. The annual support deal is available for Throttlebox also at a low cost.
How does the Strongbox security system work with iBill, CCBill, and other processors?
The Strongbox security system is compatible with all known processors, and can be used with many different processors on one site. There is no need to reconfigure the Strongbox security system if you change processors. Each processor writes the password list to a password file, normally named ".htpasswd". The Strongbox security system then reads that file to see if the entered password is correct. Note that the Strongbox security system never changes the password file, only reads it. Unlike other systems on the market, the Strongbox security system can work with multiple password files from different providers, username/password databases such as that created by VBulletin, or remote password verification servers such as AVS systems. The Strongbox security system will work with any AVS.
A note about SexKey, though - the owner of SexKey, Hank Freeman, indicated that he thought the Strongbox security system would be a good thing to use. A few months later, a SexKey employee named Mark Sender terminated the account of one of SexKey's first webmasters, claiming that using the the Strongbox security system violated SexKey's terms. Caveat webmaster.