{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我欲成王,谁敢阻挡 的问题《Time bomb needed in ASP.NET application》','https://www.manongdao.com/q-460139.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
We've developed a bespoke ASP.NET application for use on our customer's intranet. It appears they're unlikely to pay for it, so our boss would like us to introduce a time bomb.
[Edit:] Technical responses only please! Whether this is a good (or legal) idea is a question for CEOoverflow.com ;-)
All pages in the application inherit from a class called ApplicationBasePage and have consistent error handling, so I'm thinking that throwing an exception early in the lifecycle of ApplicationBasePage will be an easy way to make the application unusable. I'm open to other ideas you may have though.
My question is: how and where should we store the date on which the application will expire?
Some points to note:
- The application is installed on a single server in the customer's offices.
- Application data is held in a SQL Server 2005 database held on the same server. The database was designed by us and is not used for anything else.
- The application is only accessible on their intranet: there is no access to the application over the Internet.
- We currently have remote desktop access to their server, but would expect to lose that if things turn nasty.
- The application is written in .NET 2.0.
- Security is handled by FormsAuthentication.
- We need to be able to turn the timebomb off or change the its trigger date easily (assume we still have remote desktop access to do this).
- The server can normally access the Internet, but it would be best not to rely on this.
- The timebomb will only lock users out: it won't destroy any data.
- Unless it triggers, the customer must never be aware of the time bomb's existence.
- Their IT guy will happily go poking around in the web.config or in the database. He's not a programmer but he's not afraid to change things "just to see what happens". Decompiling or reverse engineering the application would be beyond his capabilities.
For extra credit, how much do you think it's OK to rely on security through obscurity in this case?
[Edit:]
- The application does a lot of business-critical date-dependent stuff, so we can be sure they won't change the clock on their server as this would make the application worse than useless.
"They're looking unlikely to pay for it, so our boss would like us to introduce a time bomb."
You're being asked by an incompetent businessman to implement a technical solution to a business problem. If your client is not going to pay, your Boss should be dealing with the situation like an Adult and not screwing around with logic bombs like a highschool hacker.
It's unethical, probably illegal, but mostly it's just stupid.
Two thoughts:
1) I would host the application for them off-site until they pay, or until they put the money in escrow. If they say it doesn't work and won't pay then they won't mind if you turn off access whilst the agreement is sorted out, will they?!
2) We've done similar to this before. We spent far more time considering how any possible "time bomb" would be 100% bullet-proof so that it could not go off by accident either before the cutoff date, or at some time accidentally after having been "de-fused". For example, it may be better to actually remove the code rather than to just change a flag from "Trial" to "Unlimited use"
Knowingly introducing a "time-bomb" like that is certainly illegal. Your boss isn't the first one to consider it and won't be the last. His best bet is to halt production implementation until a payment is made.
I am not a lawyer, but heres my perspective: If they are claiming the program does not work and it is unusable, then they cannot later argue that it 'works less' and hold you responsible for damages unless they already made partial payments for what does work.
I would get their complaint in writing before you try any of the suggestions here. (I would add that the 'free trial' route seems safest)
You might want to warn your boss that if his customer suffers any monetary loss (including loss of customers), your company is going to be liable for that loss and probably penalties, too, plus your company's legal fees. And, if the company doesn't survive the lawsuit and settlement, you'll be out of a job.
I'd think twice before just going along with this if I were you.
Like many others here , I would say don't do it. I don't know if it is illegal but it just doesn't feel right. Business must be based on trust and open discussion must take precedence over such schemes.
Talk about your concerns and freeze development, if necessary - I assume they want the product after all!