I found way to protect Source Code! :)


#1

Hello!

Hope I found way how to protect Ruby sources.

The Super Product has been created and now we want to sell it. But there
is one problem, we are forced to distribute sources with it.

Solution? - The ‘BlackBox’ machine. :slight_smile:

We take a computer, setup Linux with encrypted file system and install
our solution. The ‘BlackBox’ is fully functional as a web server and the
sources are also protected.
So, we can sell these 'BlackBox’es.

I’ve heard, that there is a way to hack Linux encrypted data if there is
a physical access to server-machine, but as far as i know it’s hard
enough.


#2

Alexey P. wrote:

Hello!

Hope I found way how to protect Ruby sources.

The Super Product has been created and now we want to sell it. But there
is one problem, we are forced to distribute sources with it.

Solution? - The ‘BlackBox’ machine. :slight_smile:

We take a computer, setup Linux with encrypted file system and install
our solution. The ‘BlackBox’ is fully functional as a web server and the
sources are also protected.
So, we can sell these 'BlackBox’es.

I’ve heard, that there is a way to hack Linux encrypted data if there is
a physical access to server-machine, but as far as i know it’s hard
enough.

Unless one of your developers is going to type in the encryption key
every time the computer gets rebooted, then the key and/or passphrase
will have to be stored on that computer unencrypted. Which means that
if someone has physical access it will be trivial to gain access to the
encrypted data.

You only solution there is probably going to be to host the website in
your own datacenter and give clients access to it over the internet.


#3

On Thu, 16 Oct 2008 13:43:37 +0200, Alexey P. removed_email_address@domain.invalid
wrote:

We take a computer, setup Linux with encrypted file system and install
our solution. The ‘BlackBox’ is fully functional as a web server and the
sources are also protected.

As long as the system is up and running, the encrypted file system is
accessible as if it were not encrypted. Without securing the system
against intrusion in that state encryption is pointless.

Josef ‘Jupp’ Schugt


#4

On Thu, Oct 16, 2008 at 2:20 PM, Ade I. removed_email_address@domain.invalid
wrote:

Interesting solution. May I also suggest that you try
www.rubyencoder.com as this protects Ruby source code also. I am
involved in this project (disclaimer!) but thought it was appropriate to
mention it

Both of these “solutions” are useful for keeping honest people honest,
but won’t protect you against a determined attacker.


#5

Interesting solution. May I also suggest that you try
www.rubyencoder.com as this protects Ruby source code also. I am
involved in this project (disclaimer!) but thought it was appropriate to
mention it

Ade


#6

Ade I. wrote:

Interesting solution. May I also suggest that you try
www.rubyencoder.com as this protects Ruby source code also. I am
involved in this project (disclaimer!) but thought it was appropriate to
mention it

The last time you advertised this product here, we had proven the claims
on your website to be false.

http://www.ruby-forum.com/topic/166458#731051

You have not made any changes or corrections to the website since.


#7

On Fri, 17 Oct 2008, Aaron T. wrote:

On Thu, Oct 16, 2008 at 2:20 PM, Ade I. removed_email_address@domain.invalid wrote:
Both of these “solutions” are useful for keeping honest people honest,
but won’t protect you against a determined attacker.

Solution? Translate it into perl.

Then no one can read it. :wink:

John C. Phone : (64)(3) 358 6639
Tait Electronics Fax : (64)(3) 359 4632
PO Box 1645 Christchurch Email : removed_email_address@domain.invalid
New Zealand


#8

Mike G. wrote:

Ade I. wrote:

Interesting solution. May I also suggest that you try
www.rubyencoder.com as this protects Ruby source code also. I am
involved in this project (disclaimer!) but thought it was appropriate to
mention it

The last time you advertised this product here, we had proven the claims
on your website to be false.

Could you suggest anything real to protect the Ruby code? We are still
working on our project and we use Ruby for it and need to protect the
code. We are still searching for a good solution for it. We are not just
Ruby enthusiasts and we are doing a real project. I wish we choose C to
develop our product and then have no problems in protecting the code.
But we use Ruby now for many reasons…

We do not want any conversions like Ruby to C or JRuby. We do not need
or want Java for its slowness. (We just do not need Java - don’t want to
get into a battle with Java fans :slight_smile: And also we understand there is no
ideal 100% proved protection solutions for any language. I know there
are some good encoders for PHP but what do we have for Ruby?


#9

On 17/10/2008, Ryan D. removed_email_address@domain.invalid wrote:

are some good encoders for PHP but what do we have for Ruby?

there is zenobfuscate which translates to C, that prevents my above
statement from occurring… as others have pointed out, if you are just
munging source, you’re doing nothing… nothing at all to protect things.
encryption? it needs to be decrypted in order to run and then you’re dealing
with my original claim again…

I don’t know of any other method than removing the ruby source entirely.

Remember DOS games? These employed many baroque copy protection
schemes including specially formatted or perhaps even specially
manufactured floppies so that nobody could make a copy with standard
software or even any standard floppy drive. Still the popular ones
were disassembled and circulated without the protection, and the lame
ones forgotten.

So if your software is worth anything you can only reasonably protect
it by selling it as service hosted on servers protected both in
software and physically.

If you just want people paying money for using your software forget
protection. It’s just additional effort and if you are lucky it does
not get in your way too much. Sell the software for price that people
who are likely going to use it can afford, and make the payment method
an easy one.

Also services like support and customization help getting some money
from your users.

If your application is that lame that anybody looking at the source
would run away screaming in horror then you probably need a better
coder.

I guess that’s pretty much all that can be said about code protection.

Thanks

Michal


#10

On Oct 16, 2008, at 23:10 , Sasha B. wrote:

Could you suggest anything real to protect the Ruby code? We are still
working on our project and we use Ruby for it and need to protect the
code. We are still searching for a good solution for it. We are not
just
Ruby enthusiasts and we are doing a real project. I wish we choose C
to
develop our product and then have no problems in protecting the code.
But we use Ruby now for many reasons…

no, not really… anything that has ruby objects and ruby methods
involved can be popped wide open. If I can get my grubby paws on it, I
can play with it

We do not want any conversions like Ruby to C or JRuby. We do not need
or want Java for its slowness. (We just do not need Java - don’t
want to
get into a battle with Java fans :slight_smile: And also we understand there is no
ideal 100% proved protection solutions for any language. I know there
are some good encoders for PHP but what do we have for Ruby?

there is zenobfuscate which translates to C, that prevents my above
statement from occurring… as others have pointed out, if you are
just munging source, you’re doing nothing… nothing at all to protect
things. encryption? it needs to be decrypted in order to run and then
you’re dealing with my original claim again…

I don’t know of any other method than removing the ruby source entirely.


#11

Michal S. wrote:

On 17/10/2008, Ryan D. removed_email_address@domain.invalid wrote:

are some good encoders for PHP but what do we have for Ruby?

there is zenobfuscate which translates to C, that prevents my above
statement from occurring… as others have pointed out, if you are just
munging source, you’re doing nothing… nothing at all to protect things.
encryption? it needs to be decrypted in order to run and then you’re dealing
with my original claim again…

I don’t know of any other method than removing the ruby source entirely.

Remember DOS games? These employed many baroque copy protection
schemes including specially formatted or perhaps even specially
manufactured floppies so that nobody could make a copy with standard
software or even any standard floppy drive. Still the popular ones
were disassembled and circulated without the protection, and the lame
ones forgotten.

So if your software is worth anything you can only reasonably protect
it by selling it as service hosted on servers protected both in
software and physically.

If you just want people paying money for using your software forget
protection. It’s just additional effort and if you are lucky it does
not get in your way too much. Sell the software for price that people
who are likely going to use it can afford, and make the payment method
an easy one.

Also services like support and customization help getting some money
from your users.

If your application is that lame that anybody looking at the source
would run away screaming in horror then you probably need a better
coder.

I guess that’s pretty much all that can be said about code protection.

Thanks

Michal

C can be reverse engineered and java jars can be converted back to
source code. No program’s source is 100% safe. The suggestion of
selling it as a service and hosting the app on your own servers is as
close as you’re going to get. So don’t freak out too much because you
can’t get perfect code protection. It just doesn’t exist and yet
millions of people still pay for software.

Personally I do use rubyscript2exe for all my software (used internally
around the office). That is mainly so I don’t have to install the
entire ruby interpreter on every computer that uses the applications,
but it also has an added bonus of not making your source code readily
available. It would be trivial to get to the source for someone that
knows rubyscript2exe, but most people aren’t even going to give that a
thought.


#12

On Fri, Oct 17, 2008 at 07:23:32AM +0900, Aaron T. wrote:

On Thu, Oct 16, 2008 at 2:20 PM, Ade I. removed_email_address@domain.invalid wrote:

Interesting solution. May I also suggest that you try
www.rubyencoder.com as this protects Ruby source code also. I am
involved in this project (disclaimer!) but thought it was appropriate to
mention it

Both of these “solutions” are useful for keeping honest people honest,

I might dispute that. . . .

but won’t protect you against a determined attacker.

. . . but not that.


#13

On Fri, Oct 17, 2008 at 10:49:16PM +0900, James D. wrote:

C can be reverse engineered and java jars can be converted back to
source code. No program’s source is 100% safe. The suggestion of
selling it as a service and hosting the app on your own servers is as
close as you’re going to get. So don’t freak out too much because you
can’t get perfect code protection. It just doesn’t exist and yet
millions of people still pay for software.

http://blogs.techrepublic.com.com/security/?p=363

That might be relevant. Getting paid is more about your business model
than it is about trying to stifle competition.

Personally I do use rubyscript2exe for all my software (used internally
around the office). That is mainly so I don’t have to install the
entire ruby interpreter on every computer that uses the applications,
but it also has an added bonus of not making your source code readily
available. It would be trivial to get to the source for someone that
knows rubyscript2exe, but most people aren’t even going to give that a
thought.

Personally, I consider making source code more troublesome to recover a
bug, not a feature.


#14

On Oct 17, 2008, at 12:10 AM, Sasha B. wrote:

Could you suggest anything real to protect the Ruby code? We are still
working on our project and we use Ruby for it and need to protect the
code. We are still searching for a good solution for it. We are not
just
Ruby enthusiasts and we are doing a real project. I wish we choose C
to
develop our product and then have no problems in protecting the code.

you know C can be de-compiled right?

But we use Ruby now for many reasons…

if you believe in selling software then you believe in market forces,
if you believe in market forces you believe that people will not steal
when the risk to reward ratio doesn’t make sense. consider micro$ and
it’s products: they are obfusicated, with keys, and anyone can
download them from the internet along with keys in an instant. same
goes for photoshop, etc. anytime the price is so high that the risk
of sharing is stealing, combined with the risk of getting caught, is
low, people are going to immediately subvert your costly efforts.
it’s so much simpler just to run your software as a service : so far
no one has bootlegged google…

regards.

a @ http://codeforpeople.com/


#15

On 18/10/2008, Alexey P. removed_email_address@domain.invalid wrote:

Translates .rb => .class and because it’s not one to one
mapping there is an information lost, that can be seen as the
obfuscation.

There is no .class to .rb decompiler, and (though, I’m not sure) these
.class files cannot be decompiled even to .java ones.

It can be decompiled easily, there are decompilers for a long time
already.

It seems, that JRuby Compiler is really what i need :).

I just want to rise barrier, to buy time if some company will try to
build a copy-product. For sure they’ll can reverse engineer it, but not
so fast as if they will have original sources.
There is no need to protect from hackers & cracks, my product will be
free (but not open).

I would really like to understand the thinking of the ‘freeware’
authors.

Since the software is free anyway there is no need for competition to
develop a copy-product. They can have it, and for free.

On the other hand, if they want to improve on the product it is easier
if it is opensource, and you as the author of the original can have
the improvement then as well if you choose a license that warrants
that.

The most annoying part of ‘freeware’ is when it contains a bug or is
incompatible with a newer system, and the original author is no longer
reachable or won’t bother to fix the problem.

But since it’s your software use whatever feels right for you.

I am free to use the software - or not use it. Or perhaps only to not
use it if you translate it into java classes, and I am by chance
sitting at a system for which there is no decent Java runtime.

Thanks

Michal


#16

Thanks for advices :slight_smile:

So, as I understood, there are:

  • Software as a Service, with owned hosting.
    Yes! This is the best one, but sometimes clients wants something
    ‘physically’ tangible :).

  • JRuby Compiler (http://wiki.jruby.org/wiki/JRuby_Compiler)
    It’s fully finished and ready to use.

Translates .rb => .class and because it’s not one to one
mapping there is an information lost, that can be seen as the
obfuscation.

There is no .class to .rb decompiler, and (though, I’m not sure) these
.class files cannot be decompiled even to .java ones.

  • Zenobfuscate (http://blog.zenspider.com/zenobfuscate/)
    Has some limitations.
    I’ve choose Ruby for all it’s goodnesses, and don’t want to give back
    any of it. I’ll better leave the product open than will agree to any
    limitation.

  • rubyencoder (rubyencoder.com)
    Somehow they do it, don’t know though how.

It seems, that JRuby Compiler is really what i need :).

I just want to rise barrier, to buy time if some company will try to
build a copy-product. For sure they’ll can reverse engineer it, but not
so fast as if they will have original sources.
There is no need to protect from hackers & cracks, my product will be
free (but not open).


#17

On Sun, Oct 19, 2008 at 05:07:59AM +0900, Alexey P. wrote:

any of it. I’ll better leave the product open than will agree to any
limitation.

  • rubyencoder (rubyencoder.com)
    Somehow they do it, don’t know though how.

. . . or come up with a business model that doesn’t rely on the
government trying to subvert natural laws.

It seems, that JRuby Compiler is really what i need :).

I just want to rise barrier, to buy time if some company will try to
build a copy-product. For sure they’ll can reverse engineer it, but not
so fast as if they will have original sources.
There is no need to protect from hackers & cracks, my product will be
free (but not open).

So . . . what’s the point of obscuring the code?


#18

On Mon, Oct 20, 2008 at 6:04 PM, Chad P. removed_email_address@domain.invalid
wrote:

It’s fully finished and ready to use.
I’ve choose Ruby for all it’s goodnesses, and don’t want to give back

So . . . what’s the point of obscuring the code?


Chad P. [ content licensed PDL: http://pdl.apotheon.org ]
Just tao it. http://tao.apotheon.org

This language is opensource I think if everyone use it with closed
source it
will be like the C language not open source, just, encrypt it and
send the decrypt key to the peoples that ask you for it, and make the
key
only work for X days or X … (corrupt it) like with the GPG option …


#19

I don’t always trust my ISPs so I’d very much like to run my Rails apps
encrypted.

On Tue, Oct 21, 2008 at 12:24 AM, |||=[Mathspeedy]=|||
|||=[Z3d0clan]=||| <


#20

Alexey P. wrote:

Thanks for advices :slight_smile:

So, as I understood, there are:

  • Software as a Service, with owned hosting.
    Yes! This is the best one, but sometimes clients wants something
    ‘physically’ tangible :).

Hi,

just my 5 cents worth (that’s Euro cents, then).

If you only have a few clients, it’s basically OK to give them the
source code as well: as the source code is protected by copyright laws
(unless you live in a very exotic contry like Somalia), your clients are
legally bound not to redistribute or even use the software elsewhere
(even in-house!). It probably isn’t even in the clients’ best interest
to give the source code out, especially if the code supports some
business functionality that gives them advantage over competition. The
risk of getting caught in such case is moderately high, with severe
fines backed up by copyright law and hopefully your SW license/contract.
In fact, you can probably get customers more easily by handing out
source code as well, as that gives them some guarantees in case you get
hit by the truck or your company bankrupts or something as bad from a
market-economy-point-of-view.

As for commercial, consumer-targeted mass distribution, I suppose I
would use something else than ruby. At least for the moment. :slight_smile:

Anyhow, for all that GPL-style code lying around, companies are becoming
more approving of SaaS solutions (even asking for it – as a plus side
you get all that system administration out of the house). I don’t think
there are many good business reasons having your servers in-house,
unless your business is server farming…

Cheers,

Joni