when I launch the viewer my internet id computer is immediately displayed as online. but my local pc's are listed as offline until I click connection/refresh status. why is this? I would expect local pc status to be displayed quicker since they are local and on the same network. this is very annoying. why do I need to click connection refresh status in order to see my local pcs that are online?
This is by design. This limitation is necessary to prevent a situation when hundreds of even thousands of PCs overload the network with requests.
due to this annoying status behavior I have another question if I use internet id for my local computers and connect to them will my connection go direct to the PC (ip) or will it go through your internet ID server?
If the program can automatically determine direct route, the connection will be direct even if it's Internet-ID in the connection properties.
I'm sorry, but this is not how the Viewer is supposed to be used, and such capabilities are not advertised anywhere on the site or in our sales literature. We cannot provide assistance on undocumented capabilities like changing resource files or re-arranging controls or reverse-engineering of the software. Besides, any such use may violate our EULA.
The program is provided as is and the only customization options are those available in Options/Settings for the corresponding modules and our MSI Configurator.
We will not delete the post. If we were afraid of having discussions on our site, we wouldn't have a forum in the first place. As you can see - everyone here can speak. Of course, if they follow our forum rules.
As for the subject:
1. This exploit only appears if you run a custom Host installer with the "Generate ID" function enabled AND if you click the "Tell me more" button.
2. This bug can only potentially be exploited by the remote user himself - to elevate their permissions. Yes, perhaps there might be other far less probably uses, but overall it has a very limited application/scope.
In this specific case marking your post as "BIG SECURITY ISSUE" could be misleading. Someone who visits our forum may think that our software in general has a big security issue that applies to absolutely all cases, which is very far from the truth.
So instead of posting here on the forum you could just send us a ticket or an email, and this bug would have been fixed in a few days without anyone even knowing about it, which is good for security. Security issues are not something that should be immediately disclosed - it is advisable to contact the developers privately first, and see how they respond. And if they don't respond and refuse to deal with the issue it may be time to use public pressure. Unfortunately, you decided to use public pressure right from the start as if we were unresponsive or unwilling to fix issues.
We never said that we didn't like when our customers or users let us know about exploits in our software. Quite the contrary, we can only be thankful for that and we encourage users to send us security bugs - the more the merrier. However, our concern is that making such information public BEFORE the bug is fixed is somewhat imprudent and can diminish security for existing users who use that specific feature. This is certainly not a proper way security bugs should be dealt with.
This update is going to have other fixes and a reworked MSI Configurator. Today we'll be doing final testing before we provide it. So it's not this only bug that this update is going to fix.
Although the bug you mention is a security concern, it is not THAT major or urgent as you might imagine. If it is of so much extreme importance for you please restrain from distributing your Host installer for a while before we provide an update.
Sorry, we do not utilize a "piece of cake" approach. We need to make sure that the next update has been tested before we can make it public. Besides, publicly speaking about found exploits doesn't make your existing installations more secure, hope you understand.
If we have a beta we will make it public and let our users know about it. But we cannot share each and every step of the development process. Each company decides how much transparency it should provide and we don't believe that being that transparent necessarily speeds up the development process. We would rather spend this time and effort on the development itself.
Sorry, we didn't count how many customers we lost. That would be a useless exercise, given how much work to do we have ahead. We strive to fulfill as many promises as we can but it's not always possible to fulfill them all within a reasonable time frame.