Most of you have probably never noticed that when you click on one of the download links on your download page, there’s a long link to the setup file there. Most of you don’t care — you just want to download the software. Some people, however, see a link to the setup file and think, “Hmmm… I wonder if I could download other files by just modifying this URL?” That’s when the fun begins.
The URLs on the download page look something like this:
It’s pretty obvious if a person were to change the product code (PBCE3001) and file name (PBSetupPktPC.exe) he or she should be able to download any product they want — for free. You’d think since we’re selling Bible software that never happens. You’d be wrong.
When someone tries messing with one of these URLs they’ll get a message telling them what’s wrong (“The filename requested does not match the product”) and telling them to forward the message to Tech Support for help. What they don’t know is that I get a copy of that error message delivered to me by email before they even see it. So we know they’re there and we know what they’re doing.
I had some fun the other day watching a person try to get a free PocketBible upgrade. They tried fourteen different file names within seven minutes, then another an hour later. Each time, I received an email containing the URL they were trying to access and information disclosed by their browser that can help me figure out who they are.
It’s real interesting what you can find out when you have just a few pieces of information. This person, for example, was connected via DSL (Bell South) from work (tsk tsk … using your work time to order personal software!) but it’s probably OK because this person owns the business (bought it from their parents a few years ago). And I probably shouldn’t be too hard on them because they’ve gone through some legal hassles with the local government recently and have been forced to relocate. Times are tough, but business seems to be thriving, so good for them!
A few years back we were using a different security system and had someone actually discover a way to get software for free. We immediately detected the intrusion and even let them take some stuff so we could see how they were doing it. Once we plugged the hole we started doing some investigating. We were able to quickly find out that the person was logging in from work. They worked for a big accounting firm in an overseas office. We contacted them by email and explained that we knew what was going on, and that we didn’t want to have to go to their employer to shut them down. This person was very apologetic and quickly paid for everything they had taken.
Our would-be burglar last week wasn’t as smart and never made it past our security. A couple hours later they placed an order for the upgrade.
Hopefully this won’t cause a bunch of you to decide to try to break in. I just wanted to let you know that a) it’s not as easy as it looks, and b) if you try, you should smile, because we’re watching you.