Code security

I’ve just created a rails application for a friend’s business.
I’m going to place the application onto one of his computers so he can
access it from within his network.

What can i do to make sure he cannot read/edit the code? I can’t see
what i can do. Its on a windows xp machine and he has full admin rights.
He’s not an expert PC user so the solution doesn’t have to be fully
secure, it just needs to be hard for him to access. It’s really
important that he doesn’t read the code

Anyone any ideas what i can do??? any help would be really appreciated!!

Thanks,
Chris

If he has admin rights to the machine where the code is installed, I’m
pretty sure it’s not possible for you to prevent him from read/editing
the
code. It think the only solution we be to put the code on a machine
that he
doesn’t have administrator/root access to.

I acree with Paul, but version control is your friend here. If you allow
him
read-only access to your repository, and give him a working copy, you
can
track and roll back his changes easily in the event of an ‘accident’.

Lee

+1 on James comment. Why wouldn’t you want him to “read the code” ?

On 1/28/06, Chris [email protected] wrote:

It’s really important that he doesn’t read the code

Why?

This seems like there’s something else going on.

On 1/29/06, Dylan S. [email protected] wrote:

+1 on James comment. Why wouldn’t you want him to “read the code” ?

So that it doesn’t become theirs. I’m sure open source software would
be much better if you could open any binary in an editor and see the
original code, due to the same ‘borrowing’ that Chris probably doesn’t
want to happen. That it’s hard to obfuscate programs written in
interpreted languages is why I haven’t bothered trying to sell any of
them, anyway.

Sincerely,

Tom L.
http://AllTom.com/
http://GadgetLife.org/

Here are instructions to package your rails app as an EXE!! it seems to
work like a charm.

It solves my problem of anyone borrowing my code!

http://www.erikveen.dds.nl/distributingrubyapplications/rails.html#2.1.0

On Jan 29, 2006, at 5:05 PM, Chris wrote:

Chris-

Note that when you package and app that way it is only providing

minimal security. When your user double clicks on the exe file the
rubyscript2exe will just uncompress your code into a temp dir. So it
will still be available in plain text on the system after it gets run
once.

Cheers-
-Ezra Z.
WebMaster
Yakima Herald-Republic Newspaper
[email protected]
509-577-7732

Agreed, but unless the person with your code has a fairly significant
reason to try to extract the source (e.g. you’re trying to gouge him
on price for maintenenace work later on, or he needs some work done
and you’ve just been run over by a bus), >90% of people would see the
EXE file and not bother trying to extract the code.

If someone really wants to pull apart your code, it’s very difficult
to hide it without going to extraordinary lengths. Even compiled
languages can be decompiled into something vaguely like the original
source - at least to the point that it could be changed and recompiled
by someone with sufficient determination. For apps that could fall
into this category, I just deploy them on a Web server that I control
and give the users access to it.

rubyscript2exe is a really nice way to deploy apps to customers, by
the way - nothing like being able to give out a single EXE file that
is the app, rather than sending 3 BAT files, 13 EXEs, 123 DLLs, 4
XML files, … and then finding your customer doesn’t have Winzip to
unpack it all!

Regards

Dave M.

What’s wrong with people borrowing your code? You’re ‘borrowing’ rails.

On Jan 29, 2006, at 5:05 PM, Chris wrote:

Here are instructions to package your rails app as an EXE!! it
seems to
work like a charm.

It solves my problem of anyone borrowing my code!

Distributing Ruby Applications - Theory and Practice of Building, Packing and Distributing Ruby Applications
rails.html#2.1.0

That only makes it more difficult to access the ruby files, not
impossible. A debugger could pull them out of memory with a bit of
work.

You really want a Ruby obfuscator like ZenObfuscator.

–
Eric H. - [email protected] - http://segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com

Get a host that supports Rails and throw it up there. Problem solved. =P

• Rabbit

I’m guessing that’s meant to be a rhetorical question, but if not:

• my code is mine, and I’ll share it around as I see fit. I may
  choose to GPL it, or I may release it under some other open source
  licence, or I may not; either way, it’s my choice who sees my code
• I may have wrapped some proprietary algorithm (that I myself own) in
  my code, and I don’t want other people to see it. For example, the
  algorithm may have a pending patent application, in which case I won’t
  want to have it seen unless/until the patent is granted
• I may charge money for people using my code (a la Microsoft), and
  having them be able to see the source might compromise my income
• there may be unimplemented functions or other cruftiness in my code,
  so while I’m happy for people to use it in its present state, there
  may be a personal/professional integrity issue that I don’t want to
  face if/when people start digging around inside it
• I might want to sell support/maintenance services surrounding my
  code, and therefore giving people access to do this themselves would
  jeopardise my income
• there may be other issues relating to the “hidden-ness” of my source
  code that make obscuring it a good thing. For example, having
  observed some of it personally, I wouldn’t be at all happy if banks
  started releasing the source code for their Internet banking
  applications to all and sundry. Sure, they might eventually wind up
  with a more secure application after the public trawled through their
  code, identified bugs and fixed them, but would there be any money
  left in the safe by the time that happened?
• I might have stolen other peoples’ source code and cut/pasted it
  into my app, and I don’t want those affected to find out about it.
  No, I can’t think of anyone who would ever do this, so scratch it as a
  possibility…
• I might have reused some old source code in my new application. If
  the old source code was written under contract to some other customer,
  who then purchases it in its entirety, I’m not allowed to reuse it
  (subject to local laws and interpretations). While every coder worth
  his/her salt reuses their old code all the time, in some circumstances
  it might pay to be discrete about it

Just because the good people who created Rails are happy to have its
source shared around, doesn’t mean that everyone else feels they
should act the same way, at all times.

Regards

Dave M.

On Mon, Jan 30, 2006 at 02:57:52PM +1100, David M. wrote:

I’m guessing that’s meant to be a rhetorical question, but if not:

• my code is mine, and I’ll share it around as I see fit. I may
  choose to GPL it, or I may release it under some other open source
  licence, or I may not; either way, it’s my choice who sees my code

Who said anything about releasing the code under a FOSS licence?

• I may have wrapped some proprietary algorithm (that I myself own) in
  my code, and I don’t want other people to see it. For example, the
  algorithm may have a pending patent application, in which case I won’t
  want to have it seen unless/until the patent is granted

Better treated as a contractual/trade secret issue than a code
obfuscation
one.

• I may charge money for people using my code (a la Microsoft), and
  having them be able to see the source might compromise my income

Better treated as a contractual issue than a code obfuscation one.

• there may be unimplemented functions or other cruftiness in my code,
  so while I’m happy for people to use it in its present state, there
  may be a personal/professional integrity issue that I don’t want to
  face if/when people start digging around inside it

I think that allowing your customers to see what sort of a programmer
you
are would be a brilliant reason to open up your code – if not for your
benefit, then for theirs.

• I might want to sell support/maintenance services surrounding my
  code, and therefore giving people access to do this themselves would
  jeopardise my income

Better treated as a contractual issue than a code obfuscation one.

• there may be other issues relating to the “hidden-ness” of my source
  code that make obscuring it a good thing. For example, having
  observed some of it personally, I wouldn’t be at all happy if banks
  started releasing the source code for their Internet banking
  applications to all and sundry. Sure, they might eventually wind up
  with a more secure application after the public trawled through their
  code, identified bugs and fixed them, but would there be any money
  left in the safe by the time that happened?

I don’t know about you, but I’ve not yet had an opportunity to run my
bank’s
Internet banking application on my own servers. You must have a
particularly interesting bank there.

• I might have stolen other peoples’ source code and cut/pasted it
  into my app, and I don’t want those affected to find out about it.

Gee, that’s a quality reason.

• I might have reused some old source code in my new application. If
  the old source code was written under contract to some other customer,
  who then purchases it in its entirety, I’m not allowed to reuse it
  (subject to local laws and interpretations). While every coder worth
  his/her salt reuses their old code all the time, in some circumstances
  it might pay to be discrete about it

This seems closely related to the previous reason.

Just because the good people who created Rails are happy to have its
source shared around, doesn’t mean that everyone else feels they
should act the same way, at all times.

Considering that the best two reasons given appear to relate to covering
up
illegal activities, I’m not sure that your arguments are looking pretty
thin.
I guess, though, that if you spend your time misappropriating other
people’s
code, you assume the same mindset in others.

AFAIK, there’s nothing that will effectively obfuscate Ruby code from a
determined person at this time. All of the “ruby into .exe” converters
are
quite useful for simple deployment, but not for obfuscation purposes.
Consider it a marketing benefit that your customers have the sourcecode
(call it “future-proofing” or whatever – most people in business have
had a
problem with a software vendor disappearing underneath them).

• Matt

OK, I should’ve said up front that I don’t pinch other peoples’ code,
nor do I have a problem with people seeing my sometimes-crappy code.
However, other people do.

My points still stand, however: the choice of how to distribute code
should be left to the author; code obfuscation has its place, although
I agree it’s not a great standalone security solution; people do
misappropriate others’ code, or re-use code they’ve written and then
sold, and don’t want to highlight it. With all due respect, any of
these would be sufficient reason for someone to choose to not publish
source. Witness the reluctance of some companies to release code
they’ve borrowed that was under the GPL, which they’re then obliged
to make available along with their changes - there’s been a sizeable
number of these issues discussed in Slashdot over the past few years.

Even with one of the most powerful (not to mention busiest) legal
teams around, Microsoft doesn’t release all their source code and then
rely on binding contracts as a way of protecting their IP assets.
Ditto Oracle, and any number of other commercial software companies.
If they don’t release their code, that’s good enough reason in
itself for a lot of people to follow suit.

Finally, as far as Internet banking apps go - no, I don’t run these
apps at home. However, I have previously been employed as a
consultant to test Internet banking code for several banks, and in
every case the commercial imperative to “get it out there” has
eventually superceded testing that’s shown up flaws in the
application. Shock, horror - even Internet banking apps get deployed
when there are still known defects. To some extent, banks quite
definitely rely on the fact that others can’t see their source, but
also on other levels of security (e.g. firewalls, encryption, etc.).
I’m fairly confident that, given full access to the source for one of
these apps, someone would eventually be able to drain money from other
peoples’ accounts without their knowledge, simply because the
processes used to develop/test/remediate the code don’t work
perfectly. I’m also confident that the banks would gain very little,
if anything, as compensation in terms of improved security by
releasing their source.

Anyway, this is all getting way off the original topic, which related
to one guy wanting to protect his source from his customer, and which
has (presumably) already been answered earlier in this thread to his
satisfaction. Sorry if I wasted everyone’s time on trying to list
reasons why someone might not want to release their source, which was
a bit of a tangent to the original query.

Regards

Dave M.

LOL! Dude, SO much discussion for this. You’d solve your freaking
“problem” if you just got a HOST. You know, a “web site” where you can
throw your app on and let the client use it without seeing the code.

Here look! I’ll even point you to a couple:

Rimu Hosting - quality VPS starting
at $20/mo
Pipe Spring - shared VPS starting
at $11/mo

Or if you’re strapped for cash…

A Small Orange - $5/mo shared
hosting!

Make your app live and get on with your life.

• Rabbit

Rabbit wrote:

Or if you’re strapped for cash…

A Small Orange - $5/mo shared
hosting!

Make your app live and get on with your life.

Except that won’t work from a sealed intranet. Under those
circumstances, you may get somewhere giving them a black box to plug
in under their desk, or you may not.

On 1/29/06, Matthew P. [email protected] wrote:

having them be able to see the source might compromise my income

Better treated as a contractual issue than a code obfuscation one.

All I know about trade secret issues is the result of a 20 minute
convo in my very first CS class, so take this with a jar of salt

From what I remember, trade secrets are only legally protected if
they’re practically protected first. Meaning you have to exert the
effort to protect your trade secret, you can’t just be haphazard about
it and expect the law to take care of you. I imagine that
distributing your code along with the software is easily interpretted
as not protecting it. “Uh, if it’s so important that nobody
alter/copy it, why did you give it out?” Now that there are code
obfuscators and compiled languages, there really is no excuse to pass
out clear text source code if you want to protect it. It may not be
possible with Ruby yet, but I’m willing to bet a lot of
unsophisticated arbiters/judges would say, “Okay if you can’t do it in
this language, why’d you write the code in it?”

I know that IP is of course protected under open source licenses.
Perhaps it’s semantics, but I think it’s rather foolhardy to
distribute your source code and expect it to be considered a trade
secret.

Finally, I’m a huge fan of open source, but I completely understand
why many companies/developers choose not to go that route, and have
absolutely no problem with it.

Pat

Heya

it without seeing the code.
Many, many clients will not let this happen. Many of the clients I deal
with
want to maintain control over as much of their infrastructure as
possible
hardware wise and they are so not going to put something critical on a
server that isn’t in their full control or part of their existing
managed
leased space.

Soulhuntre

http://www.girl2.com - my girls
http://www.the-estate.com - my legacy
http://wiki.thegreybook.com - my project
http://weblog.soulhuntre.com - my thoughts

On Sun, Jan 29, 2006 at 10:59:10PM -0700, Pat M. wrote:

• I may charge money for people using my code (a la Microsoft), and
  having them be able to see the source might compromise my income

Better treated as a contractual issue than a code obfuscation one.

All I know about trade secret issues is the result of a 20 minute
convo in my very first CS class, so take this with a jar of salt

From what I remember, trade secrets are only legally protected if
they’re practically protected first.

Jar taken. “Effectively protected” includes such things as “customer
signs
contract saying ‘this software contains trade secrets and you are
required
to keep them that way’”. Otherwise, how would you protect your trade
secrets in areas other than software design – there’s no English
Obfuscators (despite the content of most web forums as being apparent
evidence to the contrary ). The rules regarding “effective
protection” are meant to stop people from putting up billboards and then
suing anyone who looks at them.

out clear text source code if you want to protect it. It may not be
possible with Ruby yet, but I’m willing to bet a lot of
unsophisticated arbiters/judges would say, “Okay if you can’t do it in
this language, why’d you write the code in it?”

You may be confusing trade secret law with the TPM provisions in
DMCA-style
copyright laws. Part of the problem with the whole lumping together of
several very different areas of law under the banner of “Intellectual
Property” is this confusion that people have when talking about them.
Trade
Secrets are a whole world of their own, completely different from
Copyrights, which are totally different to Patents and Trademarks.
There
are little-to-no commonalities between them.

I know that IP is of course protected under open source licenses.
Perhaps it’s semantics, but I think it’s rather foolhardy to
distribute your source code and expect it to be considered a trade
secret.

You’re not putting your source on the Internet for all to download –
you’re
distributing it to your paying customers after the execution of a
suitably
binding contract – two very, very different things. They can even have
some level of “Open Sourceness” about it, too – a sunset clause that
states
that, in the event that you go out of business / are unwilling to
provide
further support, the whole thing falls under the GPL for anyone to
maintain.
Keeps everybody happy.

There’s this widespread confusion that “giving people the source” means
“giving them the source under an Open Source licence”. It isn’t. Way
back
in the day, that’s how just about all software was provided – you got a
copy of the source on huge tapes, and you compiled it on your machine
(which
was, of course, different to every other machine). You used to get a
copy
of the source for Unix, 6th edition, for instance, for US$140,000 –
which
entitled you to run it on one machine (but with as many users as you
could
fit on a PDP-11 – what a bargain!).

Finally, I’m a huge fan of open source, but I completely understand
why many companies/developers choose not to go that route, and have
absolutely no problem with it.

People can try to make money any way they like. I just prefer it when
everyone is honest about the reasons for their business model. (Note:
not a
cheap shot at David, just a general statement of “feh” at the
proprietary
software companies, which I’m increasingly disgusted at).

• Matt