My new Motion nop-templates theme for 3.8 is raising 20+ popup windows at every startup as well as randomly.
The message says that nop-templates obfuscated their code using a .Net Reactor software that is not registered and unpaid for.
Has anyone else seen this?
If so how did you resolve that issue?
Of course I sent an email to nop-template and hope to hear back from them.
Not paying for software is very dodgy - so I am concerned they might not respond.
I already had a lot of issues with their templates - and had to remove many of them as they were too limiting and it was so much easier to just write the code ourselves.
Since we paid for their templates - I am disappointed their code was obfuscated with unlicensed software.
Anyhow - at the moment my project is in trouble. It is once again on hold due to issues with this damned nop-template.
If someone here would know of a way to solve that issue...
What a shame nop-templates. What a shame...
Frederic
WARNING: nop-templates obfuscated with unregistered .Net reactor!
MVP
Silver Solution Partner
Certified Developer
- 2639
- 42712
- 1/21/2010
- United States
Hi Frederic,
We already replied to your email but just to write here for anyone reading this!
I must say that this is the first time for the last 5 years (since we founded the company) when something like this happens to our build packages!
Please let me explain again what and why it happened.
Please note that we are using a licensed version of the .NET Reactor but due to some hardware changes on our build machine the license was temporary invalidated (until we generated a new one).
That is the reason why a specific build of our products shows these popups at runtime.
The problem was quickly addressed and corrected product packages were deployed to our website but there was a small window in which several customers had managed to download their products (with the corrupted assemblies).
We added a regression test so I can assure you that this will never happen again!
Basically the product packages just need to be re-downloaded and updated in order for this to be corrected.
Please note that only a few customers have been affected by this and not all our customers need to update their products.
We sincerely apology to all these customers!
Thanks,
Boyko Bonev
Nop-Templates.com Team
We already replied to your email but just to write here for anyone reading this!
I must say that this is the first time for the last 5 years (since we founded the company) when something like this happens to our build packages!
Please let me explain again what and why it happened.
Please note that we are using a licensed version of the .NET Reactor but due to some hardware changes on our build machine the license was temporary invalidated (until we generated a new one).
That is the reason why a specific build of our products shows these popups at runtime.
The problem was quickly addressed and corrected product packages were deployed to our website but there was a small window in which several customers had managed to download their products (with the corrupted assemblies).
We added a regression test so I can assure you that this will never happen again!
Basically the product packages just need to be re-downloaded and updated in order for this to be corrected.
Please note that only a few customers have been affected by this and not all our customers need to update their products.
We sincerely apology to all these customers!
Thanks,
Boyko Bonev
Nop-Templates.com Team
- 19
- 351
- 8/8/2015
- United States
Boyko -
Thank you so much for the response.
I am trying to install the code again and hopefully all goes well.
I am running into a few more issues with your code:
Opening the views in visual studio crashes studio every single time.
This is probably due to all the DLLs that have been mangled during obfuscation.
this is issue is not a big deal - we can find work around.
But I have some important question about the code - and would love if you could shed some light into it before we can be confident using it. Thank you in advance.
You recently told me that some code from your template is storing encrypted information inside the database and that it was the reason we had issues when running on azure.
Because Azure data migration will break when there is encrypted information.
Unfortunately we cannot install and uninstall plugins when we move the DB in and out of azure during normal development cycle. It is technically possible but would be very time consuming and dangerous - so we will not do it. Therefore we need to know which part of your code is responsible for screwing up with our DB so that we can eliminate these components.
Now we are trying to decide what we can safely use from your product suite.
Which plugins can we install that will not put any kind of encrypted data in the database – that will not make any network calls to other servers?
Does SevenSpikes.Core puts any encrypted data in the database? If so that would mean all plugins are doomed.
Does SevenSpikes.AjaxCart puts any encrypted data in the database?
Does SevenSpikes.CloudZoom puts any encrypted data in the database?
Does SevenSpikes.InstantSearch puts any encrypted data in the database?
Does SevenSpikes.MegaMenu puts any encrypted data in the database?
Does SevenSpikes.ProductRibbons puts any encrypted data in the database?
Does SevenSpikes.QuickView puts any encrypted data in the database?
Is there any other harmful or potentially harmful functionality currently included in your software that you have not disclosed to us yet?
Frederic
Thank you so much for the response.
I am trying to install the code again and hopefully all goes well.
I am running into a few more issues with your code:
Opening the views in visual studio crashes studio every single time.
This is probably due to all the DLLs that have been mangled during obfuscation.
this is issue is not a big deal - we can find work around.
But I have some important question about the code - and would love if you could shed some light into it before we can be confident using it. Thank you in advance.
You recently told me that some code from your template is storing encrypted information inside the database and that it was the reason we had issues when running on azure.
Because Azure data migration will break when there is encrypted information.
Unfortunately we cannot install and uninstall plugins when we move the DB in and out of azure during normal development cycle. It is technically possible but would be very time consuming and dangerous - so we will not do it. Therefore we need to know which part of your code is responsible for screwing up with our DB so that we can eliminate these components.
Now we are trying to decide what we can safely use from your product suite.
Which plugins can we install that will not put any kind of encrypted data in the database – that will not make any network calls to other servers?
Does SevenSpikes.Core puts any encrypted data in the database? If so that would mean all plugins are doomed.
Does SevenSpikes.AjaxCart puts any encrypted data in the database?
Does SevenSpikes.CloudZoom puts any encrypted data in the database?
Does SevenSpikes.InstantSearch puts any encrypted data in the database?
Does SevenSpikes.MegaMenu puts any encrypted data in the database?
Does SevenSpikes.ProductRibbons puts any encrypted data in the database?
Does SevenSpikes.QuickView puts any encrypted data in the database?
Is there any other harmful or potentially harmful functionality currently included in your software that you have not disclosed to us yet?
Frederic
MVP
Silver Solution Partner
Certified Developer
- 2639
- 42712
- 1/21/2010
- United States
Hi Frederic,
Thank you for your reply!
First let me say that I completely understand that having something encrypted or obfuscated seems a little bit suspicious but if you continue reading you will understand our true intentions of doing this.
I think it is not correct to assume that obfuscated code or encrypted stored procedure means something harmful or dangerous.
Obfuscation is something normal in the .NET world or even the Javascript world and it doesn't mean that the code is harmful or dangerous. A lot of software companies do this as a level of protection of their intellectual property.
We use the obfuscation for the same reason to protect our code to some degree.
In a perfect world we would not be worried about our code being stolen and we wouldn't even had this discussion with you.
Please note that we are also not happy of fact that we need to add a level of complexity to our release cycle by obfuscating the code (which leaded to the issue as the one that happened to you).
FredBell wrote:
Opening the views in visual studio crashes studio every single time.
This is probably due to all the DLLs that have been mangled during obfuscation.
this is issue is not a big deal - we can find work around.
This is strange and should not happen.
Please note that the obfuscation could not be the reason for this and it should be something else.
Please submit a ticket and we will take a look and advise.
FredBell wrote:
But I have some important question about the code - and would love if you could shed some light into it before we can be confident using it. Thank you in advance.
Now we are trying to decide what we can safely use from your product suite.
Which plugins can we install that will not put any kind of encrypted data in the database – that will not make any network calls to other servers?
You are welcome and I am glad you asked this question.
It is absolutely safe to use all our products as they won't harm anything to your nopCommerce installation.
There is only a SINGLE plugin - Nop Ajax Filters - that uses an encrypted stored procedure and you can read why we are forced to do this in this post. I can assure you that this stored procedure as well as any of our products does not make any newtwork calls to any servers and I don't understand why you have such doubts at first place.
Please note that our products are used on thousands of nopCommerce websites and we could not afford to make any stupid things that could make our customers having doubts in our products.
FredBell wrote:
Is there any other harmful or potentially harmful functionality currently included in your software that you have not disclosed to us yet?
Frederic
First let me say that there is no any harmful functionality in our products.
If you consider the encrypted stored procedure as harmful then I can assure you that this is the only encrypted stored procedure in our products. Actually the Ajax Filters are the only plugin that adds a new stored procedure in the database. None of our other plugins add any stored procedures or encrypts anything in the database.
I agree that having an encrypted stored procedure causes some inconvenience during the backup process.
If you have any ideas how we can protect it in a way that won't cause such issues I will be glad to hear them!
Thank you for your reply!
First let me say that I completely understand that having something encrypted or obfuscated seems a little bit suspicious but if you continue reading you will understand our true intentions of doing this.
I think it is not correct to assume that obfuscated code or encrypted stored procedure means something harmful or dangerous.
Obfuscation is something normal in the .NET world or even the Javascript world and it doesn't mean that the code is harmful or dangerous. A lot of software companies do this as a level of protection of their intellectual property.
We use the obfuscation for the same reason to protect our code to some degree.
In a perfect world we would not be worried about our code being stolen and we wouldn't even had this discussion with you.
Please note that we are also not happy of fact that we need to add a level of complexity to our release cycle by obfuscating the code (which leaded to the issue as the one that happened to you).
FredBell wrote:
Opening the views in visual studio crashes studio every single time.
This is probably due to all the DLLs that have been mangled during obfuscation.
this is issue is not a big deal - we can find work around.
This is strange and should not happen.
Please note that the obfuscation could not be the reason for this and it should be something else.
Please submit a ticket and we will take a look and advise.
FredBell wrote:
But I have some important question about the code - and would love if you could shed some light into it before we can be confident using it. Thank you in advance.
Now we are trying to decide what we can safely use from your product suite.
Which plugins can we install that will not put any kind of encrypted data in the database – that will not make any network calls to other servers?
You are welcome and I am glad you asked this question.
It is absolutely safe to use all our products as they won't harm anything to your nopCommerce installation.
There is only a SINGLE plugin - Nop Ajax Filters - that uses an encrypted stored procedure and you can read why we are forced to do this in this post. I can assure you that this stored procedure as well as any of our products does not make any newtwork calls to any servers and I don't understand why you have such doubts at first place.
Please note that our products are used on thousands of nopCommerce websites and we could not afford to make any stupid things that could make our customers having doubts in our products.
FredBell wrote:
Is there any other harmful or potentially harmful functionality currently included in your software that you have not disclosed to us yet?
Frederic
First let me say that there is no any harmful functionality in our products.
If you consider the encrypted stored procedure as harmful then I can assure you that this is the only encrypted stored procedure in our products. Actually the Ajax Filters are the only plugin that adds a new stored procedure in the database. None of our other plugins add any stored procedures or encrypts anything in the database.
I agree that having an encrypted stored procedure causes some inconvenience during the backup process.
If you have any ideas how we can protect it in a way that won't cause such issues I will be glad to hear them!
- 19
- 351
- 8/8/2015
- United States
Boyko -
Thanks a million for the response.
I am glad to hear that the Ajax filter is the single plugin doing this.
Obviously this means we will not install it. The good news is that we decided to kill it as it puts too much drain on performance already on the system.
And quite frankly - if you need a filter for a website - it means the site design is very poor. If it is well organized - no one should need a filter to find the product they want. But that is a separate conversation...
I can understand the obfuscation part somewhat.
The issue I am having in general - and why I had to raise all these questions - is that we were never advised, nor warned by your company about any of these issues before we purchased the product.
As a result - once we discovered these issues - we became very suspicious. To be honest we became scared of your product and your company as well.
I think it is critical to be very upfront about the product. All this information should have been very prominently placed on your site so that we could make an informed decision.
For instance the encrypted stored proc is making using azure almost impossible. This is important information - the kind of information a potential buyer should know about.
As for a solution to the issue - to be honest - I don't think your code needs to go that far. Who cares about the value of the stored proc - no one - because it has virtually no value.
I am not being rude - please understand - all of these is relatively simple code.
The issue you create by encrypted the sproc is far greater than the risk of someone looking at it for inspiration.
In the commercial world - I often buy software for corporation - I can assure you that the vast majority of what we buy we get it with the source code. As a corporation we would not buy software from small shop without the source code.
We simply sign an NDA - stating that we will not divulge the source code to anyone.
The only software we do not mandate to get the source code is when it comes from companies like MS - Oracle - IBM etc... and this is because we know they will be around forever.
The world is changing - we would have paid 10 times the price we paid for your product - if it came with the source code.
One more thought for you - and this one is important:
Why do you think we chose nopCommerce to replace our ecommerce platform?
Because it is open source.
Therefore we can change it - customize it and make it do what we need.
Isn't it ironic that now that we use an open source platform - we just ran into your company which goes way over board trying to protect every little piece of code there is :)
And at the same time - we purchase software for big Corporation with the source code and simply sign an NDA.
I do think the situation is pretty ironic.
Anyhow - thank you again for clarifying the situation.
It does make us feel quite a bit better knowing that no other plugin will create issues once deployed on azure.
Thank you very much Boyko
Frederic
Thanks a million for the response.
I am glad to hear that the Ajax filter is the single plugin doing this.
Obviously this means we will not install it. The good news is that we decided to kill it as it puts too much drain on performance already on the system.
And quite frankly - if you need a filter for a website - it means the site design is very poor. If it is well organized - no one should need a filter to find the product they want. But that is a separate conversation...
I can understand the obfuscation part somewhat.
The issue I am having in general - and why I had to raise all these questions - is that we were never advised, nor warned by your company about any of these issues before we purchased the product.
As a result - once we discovered these issues - we became very suspicious. To be honest we became scared of your product and your company as well.
I think it is critical to be very upfront about the product. All this information should have been very prominently placed on your site so that we could make an informed decision.
For instance the encrypted stored proc is making using azure almost impossible. This is important information - the kind of information a potential buyer should know about.
As for a solution to the issue - to be honest - I don't think your code needs to go that far. Who cares about the value of the stored proc - no one - because it has virtually no value.
I am not being rude - please understand - all of these is relatively simple code.
The issue you create by encrypted the sproc is far greater than the risk of someone looking at it for inspiration.
In the commercial world - I often buy software for corporation - I can assure you that the vast majority of what we buy we get it with the source code. As a corporation we would not buy software from small shop without the source code.
We simply sign an NDA - stating that we will not divulge the source code to anyone.
The only software we do not mandate to get the source code is when it comes from companies like MS - Oracle - IBM etc... and this is because we know they will be around forever.
The world is changing - we would have paid 10 times the price we paid for your product - if it came with the source code.
One more thought for you - and this one is important:
Why do you think we chose nopCommerce to replace our ecommerce platform?
Because it is open source.
Therefore we can change it - customize it and make it do what we need.
Isn't it ironic that now that we use an open source platform - we just ran into your company which goes way over board trying to protect every little piece of code there is :)
And at the same time - we purchase software for big Corporation with the source code and simply sign an NDA.
I do think the situation is pretty ironic.
Anyhow - thank you again for clarifying the situation.
It does make us feel quite a bit better knowing that no other plugin will create issues once deployed on azure.
Thank you very much Boyko
Frederic