AxCrypt2Go & AxDecrypt

[svante]

Hi,

Thanks for the relevant responses!

@smaragdus, I might indeed in the future have different ways of running AxCrypt, but one of the issues here is that it's not trivial to develop and manage different versions and different licensing schemes. It takes time, and that's my most precious commodity. Then again, I don't like software licensing that much as a business model. But I'm pragmatic, so I won't close that door. It also makes for complicated scenarios and difficulty in explaining the difference etc.

@webfork, you write "If you continue to go the adware route". Right now I'm completely abandoning adware. As mentioned, the new software and the new web site is entirely free from advertising of any kind.

What I'm aiming for with AxCrypt is the Freemium model, which is a combination of Free and Premium, where the Free level is meant to be roughly equivalent to the old AxCrypt 1.x functionality (yes, the shredder is right now Premium, I may reconsider that, but then again shredding doesn't make as much sense as it used to what with wear levelling firmware in SSD's etc).

I was not aware that a registering requirement was such a red flag, thanks for that input. We do have some good reasons for it, but there are lots of disposable e-mail providers out there and that's the *only* thing we ask for. A working e-mail. We do not ask anything else.

Browsed the FreeFileSync thread, not sure I understood what the big problem was there, but from my point of view I see many differences. I've been very open about OpenCandy in the old version, and I've always provided entirely clean installers as well, as well as various instructions on how to avoid OpenCandy. No need to do tricky extractions, and I do not try to stop it either should someone want to waste their time doing that. Nor do I understand why so many object to that OC dll being left behind. It's just a dll. It can't even be run without an executable host. If it is loaded by other software left behind and autostarted, that's something else. But an orphaned dll? No big deal in my mind, even if it has a signature that is detected by antivirus scanners. It's passive and can do no harm unless loaded and run by an executable host.

Anyway, I'm happy this discussion has taken a turn for the better with some facts and relevant opinions.

Obviously, I'm not interested in alienating my old users, but the alternative right now to doing something on the revenue side is to make AxCrypt abandonware, and that's not going to help either. In abandonware vs. registerware I vote for registerware.

To be honest, I've had surprisingly few negative views about the registering requirement. This will be loosened though, we will offer an offline mode of installation that does not require an online registration. It's on the list of things to do. See https://bitbucket.org/axantum/axcrypt-n ... d-key-pair .

I'll keep monitoring this thread, and listen to what you guys have to say.

[Midas]

I don't have anything relevant to add, but I wanted to say I think you just set a shining example for developer feedback here, Svante.

[webfork]

@webfork, you write "If you continue to go the adware route". Right now I'm completely abandoning adware. As mentioned, the new software and the new web site is entirely free from advertising of any kind.

Really?

Retained full access to all AxCrypt 1.x software, compiled with and without OpenCandy and with full source code under GPL. I.e. no change.

I guess that's sort of like abandoning it but – even with the option – you're going to get associated with OpenCandy installs.

I was not aware that a registering requirement was such a red flag, thanks for that input.

I don't know if other sites have that issue but it's been a constant here.

We do have some good reasons for it

Like?

[svante]

@webfork, you write "If you continue to go the adware route". Right now I'm completely abandoning adware. As mentioned, the new software and the new web site is entirely free from advertising of any kind.

Really?

Yes, really. Not sure what you're implying. AxCrypt 2 is entirely free of any kind of advertising, as is the website http://www.axcrypt.net .

Retained full access to all AxCrypt 1.x software, compiled with and without OpenCandy and with full source code under GPL. I.e. no change.

I guess that's sort of like abandoning it but – even with the option – you're going to get associated with OpenCandy installs.

What I'm saying is that I'm leaving it unchanged. As is. Yes, it had OpenCandy. Yes, it'll have OpenCandy for a while now too. Keeping it that way won't change the fact that AxCrypt is already associated with OpenCandy. And yes, I will be 'abandoning' the 15-year old C++ code base that is AxCrypt 1.x. I'm done with it. A lot has changed since then, one of them being that I enjoy getting 10x as much done in C#/.NET as in C++/Win32 with the same amount of time

I was not aware that a registering requirement was such a red flag, thanks for that input.

I don't know if other sites have that issue but it's been a constant here.

As I said, it's the first I've heard of it. Then again, I'm not that active in those circles. I just write code.

We do have some good reasons for it

Like?

The registering requirement is there for a variety of reasons. Here are some of them:

One of them is to guarantee a working e-mail. You have no idea how many annoyed users I've gotten e-mails from, them being annoyed at me because they think I'm not responding. The real reason being that they typed the wrong e-mail in their reply-to, or have other problems receiving e-mail. Now we have the Premium support on the web site with a guaranteed verified e-mail. Works much better!

Another is that we'd like to get something back even from the free users, something that does not cost them anything at all, not even your entire personal life like with Facebook. What we do is that when you register, we create a RSA-4096 key-pair, and encrypt the private key with your password. The public key is available via a REST API, that AxCrypt 2 uses. This makes it possible to implement the key sharing feature, and to build a large catalog of public keys. That is something very useful, and may in time be of value to us thus enabling continued development.

Another is that by having a server account, we can actually implement the subscription model. Yes, I know you're going to say "that's what I thought", but it's just one reason. It's simpler than the alternatives, with for example signed license ticket tokens or whatnot. Having a payment model that works also makes it possible for us to entirely skip advertising as a revenue stream. Yes, really.

Another is that we can integrate and offer other services seamlessly, thus increasing the usefulness and value of the entire software. Specifically this includes the password manager.

Having the server side also enables us to synchronize keys and stuff, and do other things in the future. This requires an account, and it improves usability. For example, if you encrypt files in three different devices, and then change your password, this will have effect on the other two devices (after they sign in) and on all previously encrypted files. (We do this by always encrypting the file session key with the public key of the user, as well as with the current password.) This is a huge usability feature, all for the cost of a registration requirement.

By having the connection to the account, we also know what culture (language) your client is using (yes, we send that to the server). This makes it possible to send e-mail in the correct language. That's a huge usability improvement for many non-english speakers.

So, what's so terrible about the registration requirement? We ask for *nothing* else than a working e-mail address. We don't care if it's disposable, that's your problem (of course you lose the benefits, and also enable malicious password resetting by others, but that's also your problem. It's not a security risk, it's just annoying.).

We're not tracking you, we're not selling your data to anyone (we don't have any really, just your e-mail, and some web logs of course).

Those are some of the most obvious reasons that come to mind. I think most of them are good reasons for that simple requirement. A working e-mail.

I think it's a smashing deal! More than 3000 hours of development, more than 50000 lines of code at your disposal for the cost of telling us your e-mail-address. From which you'll benefit even as a Free user. Yes, we may also benefit a tiny wee bit, but it's mutual!

Why is this so bad? I mean apart from some kind of religious principle, in which case there's no use in asking what the possibly good reasons for the registration requirement are, since it's a principle and it doesn't matter what the reasons are. I'm assuming you're asking because you want to know if there in fact are some good reasons that would make the requirement legit.

As with everything, I don't think there's anything inherently good or bad with a registering requirement. It's the why and the how that matters. I think.

[webfork]

What's so terrible about the registration requirement?

Hopefully we are at a stage where it's clear to everyone why people are reluctant to give out their email addresses. I recognize the availability of temporary email services that work great for getting around these issues but even then you're still giving someone your email address to THAT service and it's just a lot of extra steps when you're a casual user and don't know if a program is going to work for you.

As a result, “freeware” is generally considered as distinct from “registerware” or “registrationware”.


It's not banned

... apart from some kind of religious principle, in which case there's no use in asking what the possibly good reasons for the registration requirement are, since it's a principle and it doesn't matter what the reasons are.

This is far from written in stone (there's not even a note about it in the FAQ). However, there have been some really excellent programs have come along like FreeOffice and ClipDiary, but there hasn't been a major effort by anyone on the forum to push for a change in the registration rule. EDIT: This is not actually a rule, just a convention, meaning we had not yet added a registerware program.

If you think this is just me talking, I put together a few posts of users making distinctions between freeware and registerware:

http://www.portablefreeware.com/forums/ ... 866#p72866
http://www.portablefreeware.com/forums/ ... 4779#p4779
http://www.portablefreeware.com/forums/ ... 386#p75386 (sorta)

Certainly your program could be the thing that flips over the rule finally. I don't make the rules here.


Redistribution

Another reason I avoid registerware is that I'd like to be able to host something should you decide to walk away from the project. Maybe that sounds cynical but it happens quite a bit here. I and my colleages go wandering around the interwebs trying to find a mirror for many a decade-old program. It's not certain but more likely a program that's not behind a email distribution wall will remain available.

---

Regardless, thanks for taking the time to answer all this. Assuming it's useful, I might suggest adding this exchange to the FAQ.

[svante]

Hello,

Good discussion here.

Hopefully we are at a stage where it's clear to everyone why people are reluctant to give out their email addresses.

Yeah, in the meantime we have our smartphones and gladly give any software permission to read our phone book. Not to mention facebook. And everything else that's too long to list here.

Also, you do realize that just to be able to get a voice on this forum I'm required to... drumroll... wait for it... register with my e-mail!

You need to login in order to reply to topics within this forum. In order to login you must be registered. Please note that you will need to enter a valid e-mail address before your account is activated.

On the AxCxrypt forum we don't have that requirement

It's not certain but more likely a program that's not behind a email distribution wall will remain available.

Just to clarify. AxCrypt is *not* behind an e-mail distribution wall. It's freely downloadable, along with the entire source code. However, we do have a startup requirement to register. We will be providing a way around this in the future, in response to the obvious question "What happens if you fold, or your servers are unavailable for a long time, or we can't use Internet at all.".

Once again thanks for a good discussion.

Svante

[webfork]

I'm required to... drumroll... wait for it... register with my e-mail!

So to summarize, we're hypocrites because we require email addresses too?

First, only a minuscule number of visitors give us their email address (it's in the 0.01% range) and there is no private, members-only area so the only reason people give us their email is if they want to post to forums or directly message users. Therefore, the far-and-away huge majority of what the site has to offer doesn't require an email address. So if you're comparing our site to the programs we review, you could at worst describe us as “freemium”. Also, this isn't exactly a big company running this (I'm a volunteer, ads just pay for bandwidth) and I have no idea we'd institute a non-email based system.

Second, I get that you've put a lot of time, effort, and energy into your registration process and you don't really want to hear someone giving you a hard time about the current state of an admittedly difficult process. However, I'm getting put into the rather absurd state of explaining how most people if they HAD to pick one would rather give you $5 rather than a real email address.

But maybe I'm wrong. Maybe I've represented attitudes about registerware unfairly and the reality is people don't care. So I'll go ahead and poll the group see if anyone thinks we should change the rule and expand our definition of freeware.

Hopefully we are at a stage where it's clear to everyone why people are reluctant to give out their email addresses.

Yeah, in the meantime we have our smartphones and gladly give any software permission to read our phone book. Not to mention facebook. And everything else that's too long to list here.

It's a risk-reward analysis. So for example here, you, me, and other users saw what was happening on this forum and we registered because there was a pretty good chance we'd get something. There was a high probability we'll login, post something, and get a response on something we care about, making it worth the risk. The same is true with Facebook, smarphones, and many other services.

I simply don't have that same confidence with software. I have downloaded *hundreds* of freeware programs that I've used once and then never again.

[svante]

So to summarize, we're hypocrites because we require email addresses too?

No you're not hypocrites, I just thought it was funny that I had to register with my e-mail to discuss about people having to register with their e-mail. Maybe, I found it a bit ironic. Not worse than that.

So if you're comparing our site to the programs we review, you could at worst describe us as “freemium”.

Like AxCrypt! That's what we are. Freemium. And registerware, kind of. We don't require a registration to download per se, but we do to get even free users activated.

Also, this isn't exactly a big company running this.

Like AxCrypt! We're a small company, at least for now!

However, I'm getting put into the rather absurd state of explaining how most people if they HAD to pick one would rather give you $5 rather than a real email address.

If a few percent of the people using the really, really, free, no registration-required version 1 of AxCrypt had donated $5 - it would have sufficed, and I would probably never tried the dreaded OpenCandy stuff, nor gone the route I'm going now. Sadly, that didn't happen.

It's a risk-reward analysis. So for example here, you, me, and other users saw what was happening on this forum and we registered because there was a pretty good chance we'd get something.

Agreed. I'm thinking that an e-mail is really not that secret etc, and that it would be worth the 'risk' to register in order to try my software.

I simply don't have that same confidence with software. I have downloaded *hundreds* of freeware programs that I've used once and then never again.

I get your point. But I'm personally kind of beyond that. My oldest e-mail address is over 20 years old (I used to have e-mail even before DNS and SMTP, when you had to route it yourself. I used to be ihnp4!mcvax!enea!arisia!svante (from the US)), and if there's a spammer out there who doesn't have my e-mail he's not doing his job right! My point being - I can live with giving out my e-mail, like I give out my business card at parties. The benefit outweighs the risk of abuse, because it's so abundant anyway. I just filter it.

But that's just me maybe.

[webfork]

Well, needless to say I was expecting more vitriol around registerware. The poll was informal and had only 10 responses, but I'm clearly not seeing the same ugliness as nagware or bundleware.

Also, this isn't exactly a big company running this.

Like AxCrypt! We're a small company, at least for now!

Not quite -- nobody's making any money off this and there's no plan to do so.

If a few percent of the people using the really, really, free, no registration-required version 1 of AxCrypt had donated $5 - it would have sufficed

I'm well aware that people don't donate to good projects. It's a very sad reality in open source and freeware.

It's a risk-reward analysis

Agreed. I'm thinking that an e-mail is really not that secret etc, and that it would be worth the 'risk' to register in order to try my software.

To be clear, I'm speaking generally about registerware and not describing your project as risky.