The new Strongbox site is at www.bettercgi.com/strongbox/



The world's only cryptographically secure defense system for web sites.

StrongBox features:

StrongBox is RMEE's user authentication and authorization system for pay sites and AVS sites. Old style Basic Authentication no longer acceptable for professional sites because it is quite vulnerable to password sharing and brute force attack.
Also, the current versions of Microsoft™ Media Player do not support these old fashioned username/password pairs. If you want to stream video on your web site you must upgrade to StrongBox without delay. Until you do, customers with newer versions of Media Player will not be able to access your video content.

Password Sharing

Today there are more ways for attackers to share passwords than ever before. Years ago, webmasters only needed to be concerned with password sites. Today, there are old fashioned password sites with links, Yahoo! Groups for sharing passwords, password message boards, sites with sophisticated ActiveX controls to circumvent your protection, and many other methods for password distribution. In todays web environment you need the protection of StrongBox to keep people from stealing your bandwidth by using these passwords. In some cases StrongBox has been able to save webmasters 6 GB per day in bandwidth used by password traders. The average site that doesn't use proper security software like StrongBox seems to be losing about 1 GB per day this way. By eliminating this theft of service, StrongBox will pay for itself the first month you use it.

Brute Force Attack

Brute force describes an attack in which many thousands of possible username/password combinations are attempted very quickly. This type of attack will often compromise a site protected with basic username / password pairs. This is particularly true because hackers use lists that include very predictable user names such as admin with thousands of likely passwords. To prevent a brute force attack from succeeding, the traditional advice has been to choose long, difficult to guess (and difficult to remember) user names and passwords such as 8x!O;9&)>Mej9gC<. Even if all your subscribers did use such passwords, preventing a compromised password is not enough. Looking over server logs, we've seen that failed attacks are fairly common. Because the attack may or may not compromise any passwords, the site owner often is none the wiser. But you may notice a drop in sales or more customer complaints as your server is significantly overloaded during the course of an attack. One popular adult web host advised us that failed brute force attacks regularly bring servers to their knees. For that reason, you need to prevent a brute force attack, along with it's effects on your server, from ever occurring. If it does occurr, you need to keep the attacker from using up all of your server resources in the process. StrongBox provides both technology to discourage anyone from even attempting such an attack and a defense against the crippling overload if they attack anyway. To be precise, strongbox uses a 52 bit session ID. If an attacker were to send your server 100 requests per second, they could expect to correctly guess one Strongbox session ID after 1,425,000 years of trying.

Secure Cross-Site Links

StrongBox also allows you to link between sites securely. That is, you can have links in the members section of one domain that can securely bring your members to the members section of another domain, which may be on a different server. You guys with AVS sites know how much of a problem referer spoofing has become, so it's no longer wise to have that kind of setup with just a referer check.

Anti-Slurp

StrongBox is also designed to allow easy integration of a script to protect against "slurping", or bulk downloading of your whole site. While there have always been software programs that would allow a user with even a short term trial membership to download your whole site, this functionality is now built in to major browsers such as IE. In the worst case, after the thief downloads your whole site with the click of a button they will change the referal links and upload the copy to their own server, effectively stealing your business. I can't imagine the uproar there would be if this happened in the offline world - somebody breaking into a store, stealing all of the merchandise, the display racks, signs, etc. and using it all to open an identical store across the street. Yet, many webmasters allow this to happen to them and don't do anything to prevent it. With StrongBox, you can choose from several techniques for detecting the slurping and then ask StrongBox to kick that user out. If they want to look at the rest of your content next month, they'll have to keep their membership current, rather than having a copy on their hard drive. (Be sure to ask about the anti-slurp scripts that interface with StrongBox when you order.)

Optional Reporting and Member Management Module

Among the optional enhancements that you can choose for StrongBox are Reporting and Member Management module and the Deluxe Reporting module. Both provide reports of the most active users over any chosen time period, the most active usernames, etc. You can look up any username to see the exact times, dates, and IPs when they logged in to your site. You can also see what Strongbox determined about the attempted logins. If a username or IP range is suspended or disabled you'll be able to see exactly why. This is also helpful with users who claim to have never your site and ask for a refund. More than one Strongbox webmaster has had a hearty laugh as they emailed a user a complete record of the 22 times the person "used" the site over the last 5 weeks. The users generally apologize and comment on how much they really do like the site. This module also shows any errors that may have occurred, to help in resolving customer complaints. I strongly suggest at least the basic reporting module ($25) for all pay sites. The deluxe report module ($45) adds hit-by-hit reports of exactly which pages, images, and videos a user looked at in any given session.

Purchase and installation

It's important to me that your site works properly for your members, and you don't have to struggle with some script for several hours. Therefore, I always do the installation for you as a professional courtesy. The whole point of getting software is to make your job easier, to make it so you don't have to concern yourself about password sites or similar problems again. All you need to do is just email Ray Morris at support@webmastersguide.com.
Strongbox costs $65 for the pay site version, $35 for the AVS site version. To install it I just need the URL and FTP info. Payment can be made by ePassporte, PayPal, moneybookers, CC, or just about however you want. PayPal or moneybookers can be sent to support@webmastersguide.com. You can email CC info to that same address. For ePassporte, use raymor@epassporte.com. ePassporte and CC my preferred payment methods. If you'd like to pay by CC but would rather not email the info, I can be reached at 979-530-1300 or ICQ at 7208627. One of these days I'll get a secure payment form back up again. For those of you with several sites, or who are buying in association with other webmasters, I offer substantial quanity discounts:

Strongbox AVS Pricing
AVS SitesDiscountPrice each
1 site0%$35 each
5 sites20%$28 each
10 sites40%$21 each
20 sites60%$14 each
40 sites75%$8.75 each
70 sites80%$7 each
100+ sites85%$5.25 each
Strongbox Pay Pricing
Pay SitesDiscountPrice each
1 site0%$65 each
5 sites20%$52 each
10 sites40%$39 each
20 sites60%$26 each
40 sites75%$16.25 each
70 sites80%$13.00 each
100+ sites85%$9.75 each

StrongBox Usage and Requirements

StrongBox has two requirements as to how your web server is set up and how your HTML is coded. We can help get your site ready for StrongBox if needed. For example, in some cases links within your members area may need to be adjusted and we can do that with our search and replace scripts.
To use StrongBox, you must be able to access your site from ANYTHING.your-site.com (wild card domains). Some hosts set this up by default. On other hosts I can help get it setup for you and it's not a big deal. The other thing is that your members area links can't be full URLs. You have to use this: 

a href=./gallery1.html
or this: 
a href=/members/gallery1.html
instead of: 
a href=http://your-site.com/members/gallery1.html
If you have links with full URLs in your members area we can do a search and replace to take care of those for you.

We've tried very hard to make StrongBox as simple as possible and not depend on any more software than necesary. Thus it does not require MySQL or anything else other than Perl, mod_rewrite, and Apache. So far I haven't found any hosts that needed additional software installed. The Perl scripts use the following Perl modules, all of which are standard modules that are probably already installed:

StrongBox OAQ

(once asked questions)
How does it work?
Quite well.
No, really, how does it work?
It generates a cryptographically secure time limited one time pass tied to certain identifying characteristics of the users browser. That's about all I'll say on that subject until the patents are secure.
StrongBox sounds like everything I'm looking for, and therefore, too good to be true. But I understand that you are well-known in the adult Internet business, and that's encouraging.
I have been around a while (since 1997) and I think you'll hear from other people that what I say about the product can be relied upon. I also try to be sure to mention the less positive aspects, such as it being a bit of a pain to set up.
Is it a flat-out $65, or $65/month? Are there any setup fees?
The license/setup fee is a flat $65 per site, with no monhly charges. This is very inexpensive compared to services that provide much less functionallity and charge a monthly fee. Some people wonder why it's so inexpensive if it's so good. There are two reasons. First, we use and believe in free software such as Linux. We can't give StrongBox away free and still pay the rent, but we do believe in giving webmasters the best deal possible. Secondly, our pricing reflects the fact that most webmasters trust my judgement and simply place an order, without needing several hours of meetings or phone calls to make a decision. In the corporate world it is common to spend far more time in discussions than actually doing anything. Thus many vendors prices reflect the fact that they expect to spend several hours with you regarding each purchase. We don't write formal proposals and we don't have meetings, so we can charge only for the actual program. (Ongoing support IS available, but extensive support will be charged seperately.)
I'm assuming that StrongBox will run on Linux/Apache. Is it a compiled application? A set of mod_rewrite rules? PHP or Perl?
StrongBox is designed for Linux and Apache and is also running on BSD systems. The current version conssists of some Perl scripts and creative mod_rewrite rules. 2.0 will be a compiled C rewrite_map server, some rewrite rules, and some additional Perl or C support scripts.
I understand StrongBox produces a log file of sorts. How do you configure it? Or will I be able to alter its configuration after you've installed it?
It does produce a log of logins for each site, which by default is in the StrongBox installation directory. This log generally remains very small and thus doesn't require any maintainance. The only configuration option for the log is it's location. Like all configuration, that is set via a simple variable in config.pl. Also, read about the reporting and member management module.
Does Strongbox use a connection to your server, similar to older systems that provide part of the protection was Strongbox Provides? When PennyWize's site goes down it takes my site down with it.
Unlike less capable systems such as PennyWize, StrongBox runs entirely on your server and does NOT depend on a connection to our servers. I believe it's totally unacceptable to create a situation where your members can't login to your site just because PennyWize's server is down.
My current system, for which a pay a monthly fee, often disables legitimate members of the site. Does Strongbox so that a lot?
That has been a big problem with the old "bandaid" services for years. In part, it's due to their approach of trying to patch up the holes inherent in the basic username / password authenticate method. Kind of like trying to plug the holes in a chain link fence, it doesn't work very well and their are often errors. By replacing that old chain link fence with a modern wall of protection, Strongbox is not limited by the old system, which was specifically designed to be insecure. It can therefore be far more accurate about which requests to allow and which to block. Also, Strongbox doesn't just permanently kill a username when it sees the first signs of possible abuse. Unlike the clumsy services that you may be accustomed to, Strongbox takes more measured and precise approach. Strongbox has two stages of defense for shared passwords. When it detects a username/password that has probably been compromised, it suspends that username temporarily. At that point it also takes action to reduce the potential load put on your server should there be an extremely large number of people hitting your trying (and failing) to access with that username. If several more people continue to try to login with that same username, Strongbox permanently disables the password. It then emails you to let you know that it has detected and taken care of the problem. That doesn't happen all too often because the password sites normally delete the username with an hour after Strongbox suspends it.
What are these "open proxies" that people tell me the hackers use?
or
Besides replacing usernames and passwords with secure tokens, how is Strongbox so much more effective than PennyWize or Password Sentry?
An http proxy is a server that let's you surf the web through it. Your computer connects to the proxy and tells the proxy what page you want to see. The proxy gets the page for you and forwards it on to you. From the server's perspective, you are invisible - it only sees the address of the proxy. When people doo a brute force, or "hurling", attack, they might use 20 different proxies, so the server sees the requests coming from 20 different IP addreses. They do this to fool software like Password Sentry, which merely counts how many times a certain IP has tried a different username and password. These older, simpler "patch up" systems will let each of the attackers IP addresses guess many usernames each hour, never recognizing that the guesses from the 20 different IPs are all coming from the same person and their brute force, or "hurling" software.
Strongbox isn't so easily fooled. Strongbox blocks these open proxies right away. There are some legitimate proxies. For example, AOL uses proxies so they don't have to have different IPs for each user. Legitimate proxies that you want to let through, though, are closed proxies - AOL proxies, for example, can only be used by AOL customers. Companies set up legitimate proxies so that only their employees or customers can access them. Script kiddies, hackers, and other undesirables don't pay for access to 20 different proxies from 20 different companies, of course. Instead use servers that have been misconfigured or hacked so that anyone can use them as a proxy, or one of a couple proxies put up by nerfarious characters specifically for the purpose of allowing various kinds of wrong doing to be accomplished without showing the perpetrators IP address. These proxies which anyone can access are called open proxies. As they are often used by people attacking sites and rarely or never used by legitimate users, Strongbox blocks access from these open proxies. Note -
This proxy defense module was originally designed as an extra cost option to enhance Strongbox's already high resistance to these types of attacks. We have decided to include this module as a free bonus with every Strongbox installation right now.
How do I know that it's really as good as you say? Do you have any references?
I encourage you to search your favorite webmaster boards to see what people say about "Ray" and "Strongbox", but here's a few posts to get you started: On GreenGuy and Jim's, DangerDave and Kevin recommend Strongbox, then LindaMight raves about it: DangerDave recommends Strongbox to LindaMight
LindaMight raves about Strongbox after she gets it.

What about upgrades?
Upgrades are available at any time with a $15 installation fee. The $15 upgrade applies to the same "major version" that you purchased. That is, if you purchase any 2.x version you can upgrade to the current 2.x version at ay time. A 2.x license will not necesarily entitle you to a 3.x upgrade. 3.0 may be a very different product with different features and very different pricing..
How does StrongBox compare to PennyWize?
First off, Strongbox isn't really directly compareable to PennyWize or anything else out there that I know of. To explain why, I have to get a little technical. Before I do, let me point out that with Strongbox there is no monthly fee and no reliance on someone elses server for your protection. Pennywize is an old solution to an old problem. The script kiddies, real hackers, and just plain password sites figured out how to beat PennyWize around 1999-2000. As more and more password sites and software did their end runs around PennyWize, we began developing Strongbox as the next generation in security. Now for the technical part: Pennywize and similar services are needed because most web sites today use something called "Basic Authentication", which is implemented in a part of Apache called "mod_auth". This "Basic Authentication" is the system where the gray box pops up asking for your username and password. When the designers of mod_auth first released the design for that system, they were very careful to point out that it was not intended to be secure. It was intended to be a very basic system that could be used to put a password on your stats page until something better was designed. One major weakness is that Basic Authentication - the pop up gray box - does not distinguish between the two main phases that you learn about in security 101. The first day of a computer security course you'll hear about the two phases of "authentication", making sure the user is who they say they are, and "authorization", checking if they are allowed to access this particular page, etc. The authentication phase is when they login, the authorization happens every time they view a page or image. With basic auth, they never login. Their username and password is sent by the browser every time it requests a page or image. Because they never actually login, you never get to thoroughly check them out. There are a lot of other problems too, liek the fact that the whole thing is based on a very short password that can be shared. Pennywize and similar programs try to tape up the holes in basic auth. That's a very tall order, because basic auth is built like a chain link fence - way too many holes to try to keep taped up. PennyWize and similar programs end up working like a burglar alarm inside the fence - trying to detect an intruder after they get in and then trying to deal with them after it's too late. Strongbox, on the other hand, gets rid of the whole "basic authentication" fence and puts up a thick brick wall instead. It doesn't tape up any holes, because it throws that fence full of holes in the trash pile behind the woodshed and puts in it's own far superior system. PennyWize and similar systems are also easily defeated by proxy based attacks. See the above question about proxies.