Andy J. wrote:
On 6 July 2010 10:34, Sumanta D. [email protected] wrote:
Or if there is any way so that I can encrypt my code
without interrupting the execution of the application.
If your client is determined to access your code even an encryption of
the Ruby source code will not be sufficient. In order for MRI to
interpret Ruby it must be decrypted. If the client has full access to
the system then this means that they also have access to the encryption
keys.
This is the same issue that makes decrypting DVDs possible. The keys
must be available to the system performing the decryption. Now maybe
doing this will discourage a client from making the attempt, but if they
are determined then there’s nothing stopping them from hiring someone to
“crack” your encryption. But, as I said it’s not really cracking it
since the encryption keys exist in a location where the client has
access.
Other compiled languages such as Java or .Net don’t effectively protect
your code either. Java (and likely .Net) can be easily decompiled into
amazingly readable source code.
In the end the only real solution is to protect your source code using
operating system security and by contractual licensing.
Props to Andy’s solution - thats pretty awesome… hopefully not
everyone needs that!
This is the same issue that makes decrypting DVDs possible. The keys
must be available to the system performing the decryption. Now maybe
doing this will discourage a client from making the attempt, but if they
are determined then there’s nothing stopping them from hiring someone to
“crack” your encryption. But, as I said it’s not really cracking it
since the encryption keys exist in a location where the client has
access.
Indeed, finding them in memory. I believe though that the requirement
is to
stop casual looking/tampering by the company’s sysadmins rather than to
stop
a dedicated expert cracker.
Cheers,
Andy
On 7 July 2010 01:25, Skip L. [email protected] wrote:
Props to Andy’s solution - thats pretty awesome… hopefully not
everyone needs that!
Thanks Skip and I agree with your hope.
There are so many weird things I’ve done on this project, it’s been a
great/interesting experience…
Cheers,
Andy
On 7 July 2010 11:14, Andy J. [email protected] wrote:
Yep. Completely agree. They weren’t planning on stopping crackers, but
sysadmins that “knew some ruby”.
Bad news on that front, all the sys admins I know use Ruby. They start
with
Puppet and then start writing their own applications.
Sys admins, by virtue of their job, are highly skilled individuals.
Least
all the ones I know.
YMMV
Interesting solution, but also not secure. Anybody who has root can
read out your running processes’ memory spaces and either (a) grab the
key and yer pwned or (b) grab the bytecodes, decompile and yer pwned.
Yep. Completely agree. They weren’t planning on stopping crackers, but
sysadmins that “knew some ruby”.
Add to that bonus nasties like directly frobbing the core of a running
VPS instance from the hypervisor, and you’re back in security hell
again.
They’re not using VPS/hypervisors.
Cheers,
Andy
On 07 Jul 2010, at 12:24, Peter H. wrote:
Yep. Completely agree. They weren’t planning on stopping crackers,
but sysadmins that “knew some ruby”.
Bad news on that front, all the sys admins I know use Ruby. They
start with Puppet and then start writing their own applications.
Sys admins, by virtue of their job, are highly skilled individuals.
Least all the ones I know.
In a way, you can praise yourself lucky, in my years of work (and
that’s quite a lot of years actually) I’ve come across all kinds of
sysadmins: very knowledgable people, capable people, people that think
they are capable, people that are complete and utter fools, citing
things they picked up from some magazine, completely misunderstood,
but still think they got their position with good reason, people that
know they are incapable of their job and try to make me do their work
for them.
Guess it all depends on what company you work with and especially in
midsize and small companies there’s a huge difference in knowledge and
experience when it comes to IT staff.
Getting a bit OT here, but reading this brings back so many
memories… 
Best regards
Peter De Berdt
On Jul 7, 11:13 am, Andy J. [email protected] wrote:
Indeed, finding them in memory. I believe though that the requirement is to
stop casual looking/tampering by the company’s sysadmins rather than to stop
a dedicated expert cracker.
You can also do fun things with ruby2ruby, eg
require ‘rubygems’
require ‘ruby2ruby’
class Secret
def secret_method
%w(I am secret).each {|p| puts p}
end
end
puts Ruby2Ruby.translate(Secret)
outputs:
class Secret < Object
def secret_method
[“I”, “am”, “secret”].each { |p| puts(p) }
end
end
In theory an interested person could attach themselves to one of your
ruby processes with gdb and if they knew enough about the ruby c api
they could load up stuff like ruby2ruby and inspect your classes.
Fred