|T O P I C R E V I E W
||Posted - 02/22/2019 : 13:14:14
First of all congratulations for this awesome app.
I've gotten used with extensions from old Firefox, Opera and I find it hard to use a browser without them. In Chrome and newer Firefox extenions API does not have access on some pages and also they require all sort of permissions...
Looking to some alternative, I've found S+ which from the brief time I've tried it looks quite cool. And if gestures are so awesome in browser, why not extend it to other apps.
I have a couple of questions:
1. I did not manage to find a license file, does the license of the app permit usage of StrokesPlus on a PC that is also used for business purposes (commercial use)?
2. does the app have any data being sent over the internet? (telemetry, analytics, etc)?
Thank you very much for your time and effort.
|8 L A T E S T R E P L I E S (Newest First)
||Posted - 02/25/2019 : 06:56:09
Yes, the purpose is to make S+ operate as seamlessly as possible.
This was primarily a big issue when Windows 8 came out, as without UI Access, S+ could not interact with the Start "window" nor Windows 8 Metro (or whatever they finally named them) apps. The Task Manager and other programs that were run as administrator were other reasons.
A lot of S+ users are power users, so they commonly run programs with higher permissions. Sure, you could start S+ as Administrator, but then it either prompted you on Windows load with the UAC prompt or wouldn't let you have a program automatically start as Admin (can't remember).
So this was the perfect balance of allowing interaction of Windows 8 screens/app, elevated programs, and start with Windows without bothering the user.
||Posted - 02/25/2019 : 06:42:07
Great details @Rob, congratulations on your approach to your users.
It is a bit unclear to me why uiAccess is required or it's a workaround to have the app behave as wanted. I mean, I understand that it is required to self-elevate the process but I don't understand why you mention that it is intended for accessibility programs. In the link you've added it mentions that when set to true, allows interacting with other app windows. Does the S+ have some accessibility features?
However, what is interesting is that running the unsigned version, so not uiAccess, still allows to draw the gesture on top of other windows. So the purpose of uiAccess is to give S+ more privileges in case the user may want to interact with certain apps?
||Posted - 02/22/2019 : 15:57:07
Some additional info, so in the signed StrokesPlus.exe manifest, which is embedded during build, there's this entry (you can open StrokesPlus.exe in Notepad++ and find this string):
<requestedExecutionLevel level="asInvoker" uiAccess="true">
asInvoker means it runs with the current user's privileges, but uiAccess = true means it's allowed to interact with the UI overall. This is intended for things like accessibility programs, for example, to help a blind person use the operating system, etc.
See here for the details about this and the requirement of not only the certificate, but also that it must be installed under Program Files.
From the article:
Part 6: App-V and Manifest using UIAccess=True
As mentioned before, UIAccess=true allows, under certain circumstances, for a process to self-elevate a minor amount (0x10 or decimal 16) without a UAC prompt. There are various descriptions of the requirements, some of which are misleading (and hence my involvement with the ISV). The best description that I have found is shown below, which is from this TechNet reference.
UIA programs must be digitally signed because they must be able to respond to prompts regarding security issues, such as the UAC elevation prompt. By default, UIA programs are run only from the following protected paths:
\Program Files, including subfolders
\Program Files (x86), including subfolders for 64-bit versions of Windows
||Posted - 02/22/2019 : 15:45:06
Only an application which was signed with the certificate would be able to use the certificate, and I have that certificate well protected.
The certificate that gets installed can not be used to signed an application, only the pfx I have in my possession can be used to sign an executable. So no, you're not opening yourself up to anything. If you have admin privileges, you can create your own certificate on your machine, which nothing else could use unless you signed something with it.
||Posted - 02/22/2019 : 15:37:26
Thank you again, that sure was quick. I get it.
Since it makes a lot of sense to have it started with windows and not manually, the self signed is the way to go. I am not interested on the "interact with elevated programs" but auto start is quite beneficial.
And a last question, hopefully, could the install of the S+ self-signed certificate rise any security concerns? Am I exposing myself to some risks?
Have a great weekend.
||Posted - 02/22/2019 : 15:21:43
Yes, the download from www.strokesplus.com is the completely isolated version.
The download from www.strokesplus.net is the one with update checking.
So none of the installer executables themselves are signed, as that's costly. So when you install, it says publisher is unknown.
The program itself has a signed and unsigned version. Only the signed version will be able to start automatically with Windows and be able to interact with elevated programs like Task Manager.
During the install of the signed version, it installs a self-signed certificate into the StrokesPlusCertStore, so it requires admin privileges to install.
The unsigned version does not require this self-signed certificate, but cannot start with Windows nor interact with elevated programs.
||Posted - 02/22/2019 : 15:14:42
Thank you @Rob so much for your detailed answer.
I've got it, free to use for personal or comercial setting.
The second part, please correct me if wrong: the file to download from this forum (for instance https://www.strokesplus.com/forum/topic/1165/version-2864) is the original StrokesPlus version which is isolated and does not connect to internet in any way. All the data used by the app and window readings and interaction info is stored only on the PC it runs and not shared anywhere.
The new alpha version is from another site, the .net one but that also installs from another location.
Secondly I have another quick question from the documentation (https://www.strokesplus.com/faq/#startup):
There is a mention:
This can be accomplished, but the program must be digitally signed, which is very costly. Since StrokesPlus is a free program, I don't make in donations anything remotely close to the recurring costs of keeping S+ signed.
however lower on the page it says:
Generally, unless you are a control freak or have a specific reason as to why you don't want to install the signed version using the setup package...use the signed version.
Are there 2 types of signing? The recommended download is Setup Package - Signed, Win Vista through Win 10 right?
Thank you again for your time, I really appreciate it.
||Posted - 02/22/2019 : 14:46:01
StrokesPlus is licensed under MIT, or at least that was the intent! Perhaps I never actually included one. So yes, completely free to use, personally or in a commercial setting.
StrokesPlus does not connect to the internet in any way at all.
The newer version, StrokesPlus.net does have an update checker, which connects to the web server for the latest version and includes the primary MAC address as reported by Windows. This is for some kind of metrics as I have no reliable way to gauge user volume. However, that update check can be disabled in the Options. The only other connection within StrokesPlus.net would be if you chose to login from the tray icon, which would pass the same data in addition to forum login credentials. Again, that is optional as well.
So the original StrokesPlus is completely isolated in every way. You can use Process Monitor by Microsoft and see it only accesses local data related only to StrokesPlus.
StrokesPlus.net does reach out, but are optional, and when disabled there is also no external connection attempted, unless you wrote a script which accesses the network or Internet.