Community


Email Notification Idea

Links used in this discussion
Alan Halls, User (Posts: 23)
Apr 11, 2019 9:17:41 am EDT
After about a year of being a free customer, and having some trouble with the file transfer portion of the app, I had a great day using RemoteUtilities yesterday with almost no problems at all and decided to become a Pro customer!

While setting up the MSI Installer, I had an idea about the email notification portion that I wanted to share. Paid users could have an online account that links to their installer that allows them to configure some of the extra options such as the authentication and email notifications of a new ID being generated. Then the application rather than sending the notifications through SMTP could relay that info to RemoteUtilities (or other repeater?) where the info could then be emailed to the user.

The difference is that if the host gets decompiled, there is a chance of disclosure of where the emails are being sent, and maybe passwords as well. As it is I created a new gmail account, set it to forward to my normal account and then deletes it, wrote a script that auto flushes the trash every minute on that account so there is no record of it.

If my Viewer was linked to my account here, then I could set my notification options here, and you could even have each new connection randomly generate a 64bit password. I think this would dramatically increase the security for those using the notification system.
Alan Halls, User (Posts: 23)
Apr 11, 2019 9:19:02 am EDT
PS, here it the script:

Go to https://script.google.com

Then create a new project and paste the below into it:

function removeMyTrash() {
var mymail = "email@gmail.com";
var mylabel = "trash";
var permanentlyRemoveMyLabel = true;
var pageToken;

do {
   var threadList = Gmail.Users.Threads.list('me', {
   q: 'in:' + mylabel,
   pageToken: pageToken
   });
   if (threadList.threads && threadList.threads.length > 0) {
       threadList.threads.forEach(function(thread) {
       Logger.log('id: %s snippet: %s', thread.id, thread.snippet);
       if (permanentlyRemoveMyLabel) {
           Gmail.Users.Threads.remove(mymail, thread.id);
           Logger.log('id: %s snippet: %s REMOVED', thread.id, thread.snippet);
       }
   });
  }
  pageToken = threadList.nextPageToken;
  } while (pageToken);
}
If you try and run the script as is it will error out.

Next you click on Resources and go to Advanced Google Services.

Scroll down to Gmail API and turn that on.

Next click Google Cloud Platform Link on that same window that came up where you enabled the Gmail API.

Then click on the Enable services and API and search for Gmail. Click on Gmail and then enable it.

Then go back to your script screen and click on the menu Edit and go to Current project's triggers.

Set a trigger to run the script either every minute or whatever time interval that you want the script to run and empty your trash.

Keep in mind you can delete from IN:TRASH IN:SPAM or whatever other label you want. It won't delete reminders and the deletion is final. You can't recover any of the emails.
Edited:Alan Halls - Apr 11, 2019 9:20:27 am EDT
Alan Halls, User (Posts: 23)
Apr 11, 2019 10:11:39 am EDT
Even better would be to have it automatically added to my viewer to a category of "New Installs"
Conrad Sallian, Support (Posts: 2993)
Apr 11, 2019 2:01:39 pm EDT
Hello Alan,

Thank you for purchasing a license!

and having some trouble with the file transfer portion of the app

Sorry for that, we will be re-writing the File Transfer module some time soon.

While setting up the MSI Installer, I had an idea about the email notification portion that I wanted to share. Paid users could have an online account that links to their installer that allows them to configure some of the extra options such as the authentication and email notifications of a new ID being generated. Then the application rather than sending the notifications through SMTP could relay that info to RemoteUtilities (or other repeater?) where the info could then be emailed to the user.

Implementing an online account is indeed in our plans for the future. However, making the installer send emails via our company-hosted script would be a step back to the mechanism which we have abandoned in favor of the "SMTP method".

The difference is that if the host gets decompiled, there is a chance of disclosure of where the emails are being sent, and maybe passwords as well. As it is I created a new gmail account, set it to forward to my normal account and then deletes it, wrote a script that auto flushes the trash every minute on that account so there is no record of it.

If you mean Host access passwords, they are not disclosed. When you choose "Automatically generate Host password" the password is encrypted with a public key on the Host side. In order to decrypt it one needs the private key which only resides on the Viewer side, initially in the Viewer where you actually built the installer although you can also copy the key to another Viewer.

If you mean the SMTP password though, it's indeed can be extracted from the installer but that's "by design". There is simply no other way to simultaneously protect the SMTP password and use it on the same Host. We explicitly warn the user about this:

Email Notification Idea - 11 Apr 2019 01:58:44

Also, we do suggest that the user avoid entering their primary email account credentials and instead use a "disposable" email account for that single purpose of receiving Host notifications. Even if someone gets access to those emails they won't be able to connect to Hosts because of the above mentioned reasons - they won't be able to find out the password because it is never sent plain in an email. Besides, there is also two-factor authentication which can be enabled for added security.

Let us know if you have any questions. Thanks.
Alan Halls, User (Posts: 23)
Apr 11, 2019 5:46:26 pm EDT
Thanks, I do appreciate your extra info on how that works. What I was trying to say is that if all of them sent the email to distribute@RemoteUtilities.com, which contained only the ID number of the user, then on your side that ID could be linked to a delivery address. It would just be a fancy email forwarding system. That way a decompiled application wouldn't even disclose the business that owned it, it just has an ID number.

As your disclosure states, when the destination email address, and SMTP settings are retrievable, then unless someone did what I did, that email account could potentially contain all the ID numbers associated with the account. While I realize that there is some additional protection with the password, this seems like a nice option was all I was trying to convey.
Conrad Sallian, Support (Posts: 2993)
Apr 12, 2019 12:38:32 pm EDT
Hello Alan,

Thank you for the clarification. Still, this requires a centralized system with our service at the center, and this is exactly what we moved away from (due to abuses of the system and antivirus software being angry at us about that as a consequence).

However, we may look closer at this idea when we start implementing an online account.
MaxBlitzer, User (Posts: 68)
Apr 30, 2019 6:28:33 am EDT
Conrad,

Shouldn't the pop up message say, "Instead, create and use a dedicated and disposable email account for the only purpose of sending Host notifications"?  The password is for the sending email account, not for receiving notifications.
Conrad Sallian, Support (Posts: 2993)
Apr 30, 2019 10:32:24 am EDT
Hello Max,

That makes perfect sense, thank you for the suggestion. I will ask our development to correct the phrase in the nearest updates.

* Website time zone: America/New_York (UTC -4)