Receiving FLEXlm Error -88,309: System Clock Has Been Set Back (2020)

Simple but probably effective. In terms of protecting against regular end users fiddling with the system time I mean.<p>On a related note I remember many years ago when I was using Windows, and there was a third-party utility to monitor the registry for changes.<p>I only had the trial version of the utility, but using the utility itself I found that they were storing information in the registry about when the trial would expire. So I was able to use the utility to discover and defeat the trial protection of itself.<p>So that was cool in and of itself. But I also found that, even though this was in a time before most software would do online checks, many pieces of software were able to know that the trial had expired even if I tried things like setting the clock back or removing registry entries they had created.<p>Probably some of those pieces of software were doing similar things to the one mentioned in the OP. But it never occurred to me at the time. I’m not even sure I would have thought of this even today if I were to try it.<p>But these days I use software that’s open source for a lot of things instead, and where I need proprietary software I pay for it instead. If it’s proprietary and not worth the money then it’s not worth using either. Though I am still sad that Adobe switched to a subscription based payment which I ended up not being able to afford and don’t want to sign up for again because of their horrible billing practices. So I am stuck not being able to run Adobe software even though I would have liked to.

The following is entirely from memory:<p>FLEXlm was originally written by just one guy. I think I remember his name -- his initials are M.C. if anyone would like to confirm that I&#x27;m recalling correctly. When he sold his stake he got ~$10 million. The software went through many ownership changes. I think this was when it went from Globetrotter to Macrovision. When he got his ~$10 million he gave about $2 million to his current employees as a gift. I thought it was a very honorable thing. He had no legal obligation to do so.<p>This isn&#x27;t inside information; it was all published <i>somewhere</i> but it&#x27;s funny how the web can &quot;forget&quot; things after a couple decades.<p>EDIT: I found something that at least confirms the name I was remembering, Matt Christiano, and a history[1] of license management that he wrote in 2007.<p>[1] <a href="http:&#x2F;&#x2F;reprisesoftware.com&#x2F;blog&#x2F;2007&#x2F;01&#x2F;a-brief-history-of-software-license-management-2&#x2F;" rel="nofollow">http:&#x2F;&#x2F;reprisesoftware.com&#x2F;blog&#x2F;2007&#x2F;01&#x2F;a-brief-history-of-s...</a>

When I see the word &quot;security&quot; used like this, I wish the person who used it would be honest about whose security they have in mind. (Also, they should be clear about whether they are talking about cyber security, or financial security, or personal security.)<p>It&#x27;s like the word &quot;protection&quot; in the terms &quot;copy protection&quot; or &quot;content protection&quot;. Those at least make clear that it is not the user who is being protected, but it&#x27;s still disingenuous to suggest that a file is somehow harmed by being copied. If anything, having more copies of a file only makes it safer.

Archived in case it is deleted.<p><a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20210829234321&#x2F;https:&#x2F;&#x2F;community.flexera.com&#x2F;t5&#x2F;FlexNet-Publisher-Knowledge-Base&#x2F;Receiving-FLEXlm-Error-88-309-System-Clock-Has-Been-Set-Back&#x2F;ta-p&#x2F;5825" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20210829234321&#x2F;https:&#x2F;&#x2F;community...</a>

Back in the days we actually had to use this trick. We knew we had enough licenses but at some point people started complaining that others wouldn&#x27;t give back shared licenses.<p>It turned out the server didn&#x27;t register them in when someone signed off.<p>So after troubleshooting we ended up doing exactly what this trick is protecting against, setting the server clock to somewhere in the future.<p>Worked nicely back then.<p>This was just as I left that place, a few weeks later my college told me they had found the problem: our previous it manager had installed a new instance of the license server on a faster machine. He had not installed the license files (nor documented it anywhere) though so the new server would just say thank you and discard the license token whenever anyone signed out.

FlexLM --- certainly gave me a bit of nostalgia from all the time I spent on it as a cracker few decades ago... I guess it&#x27;s still found on very expensive&#x2F;specialist software which hasn&#x27;t become entirely service&#x2F;cloud-based.

I expect the purpose of enterprise license management software like this is less to prevent unlicensed use (which is basically impossible) and more to help organizations track their license usage and stay compliant with whatever the terms are.<p>It&#x27;s a beautiful comment though, and an interesting scheme that could potentially break relatively easily.<p>In my experience, the license manager usually goes out to lunch at the most inopportune moment – usually before some important deadline, coincident with IT support (or anyone who is capable of fixing the license manager) being out of the office for an extended period.

Assuming the original version from 2007 was guaranteed to be internal only, it&#x27;s not looking good for whoever decided to expose the knowledge base. Bonus points for outsourcing to a third party support forum so we can admire the self-pwn while they struggle to find who has admin privileges to take it down. How much was that MBA&#x27;s bonus?

Back in my days of programming shiny round discs, we had a client request to put a time bomb in an interactive CD-ROM. To test it, we adjusted the date on the computer that did our MPEG-2 encoding for DVD. As was bound to happen, the date did not get reset to current time, so that some DVD encodes were encoded in the future. It took so many calls back&amp;forth with support to figure out why these files were misbehaving.<p>TL;DR becareful when adjusting the dates as there may be unintended consequences

I work in Security and we talk about barrier management. A security barrier is be something you implement to avoid a certain hazard to begin traversing your bowtie risk model (google it).<p>This particular case of doing a technical check by chcking files&quot; timestamp for timestamps set in the future is NOT a security reason. It is a license compliance check, but has nothing to do with security.<p>Also, if I were a customer of this company which apparently sells me IT Lifecycle tools that should help me with IT cataloging and omventory, I would be livid if the solution stopped working because it had identified &quot;bad date&quot; files somewhere in my IT landscape. I would migrate the hell away from it there are plenty of other vendors.

I guess we should try to list as many non-adversarial ways you can end up with a future dated file:<p>1. Incorrectly set clock, corrected after files were modified.<p>2. Slightly corrupt file system.<p>3. Copied files from another system.<p>4. You&#x27;re testing your own DRM.<p>5. Other software doing similar crazy things you&#x27;re unaware of.<p>6. Testing software that needs the date changed for certain scenarios.<p>7. Bug in time sync software.<p>Others?

the flexlm usecase is: protect revenue for vendors that sell into large companies&#x2F;organizations by making drm that is sufficiently annoying to defeat and&#x2F;or live with in a degraded state such that it&#x27;s more annoying than dealing with internal bureaucracy to get accounts payable and information technology to actually pay the software vendor.<p>saas of course just threatens to turn things off when the bill isn&#x27;t paid.<p>it&#x27;s how big organizations work, nothing happens until it&#x27;s annoying.

FlexLM is still used all the time. I wish I knew enough to crack it, just to know how. I&#x27;ll bet it&#x27;s fascinating.

Ha. Files that won’t be made for &gt;24hr according to your system clock in important directories will flag for abuse. Good to know how to screw with your users I guess?<p>I don’t know much about DRM methods, but I assume this is a Windows95-level weak one?

I remember the date trick, many computers were set at the wrong date back then for that reason.<p>But nowadays, a computer at the wrong date is pretty much unusable because of certificates, so much that it has become one of the typical tech support question, just after &quot;is it plugged in&quot;.