I have dealt with some clients in the past, got screwed a couple of
times, etc. Yes I have contracts, etc. Some of these jobs are so small
that they are not really worth taking legal action. I want to develop a
plugin that can self destruct an application. Is this possible?
Basically I could access a URL with a password, other identification,
etc. and rails would basically delete itself. If I’m doing this through
apache I’m assuminng rails would be run under the apache user, so if I
ran rm -rf RAILS_ROOT would this work?
Thanks for your help!
This seems like a really bad idea. I’ve been in your shoes more
times than I care to admit, so for clients where this situation is a
potential, I’ve adopted an aggressive strategy for getting payment
for my work. I only deploy what they have paid for. If they demand
to see working code first, that’s fine, I deploy it to a subdomain
that I own.
I am up front with my intentions, so there are no surprises. When
they have agreed that the code meets what they need, then when
payment is received (and the check clears) will I push the changes to
their boxes, or if I’m hosting it, to their domain.
Don’t feel like you will lose business by demanding something like
this. You deserve to get paid for your quality work!
–
James M.
Dude, have you ever heard of backups??? Even if you manage to delete
the code, they can always deploy it again. That’s what the
entertainment industry is suffering to understand…
This is typically not a technology problem. You have to resolve it by
other means. James’ suggestion bellow is very good. Another
alternative is to provide services, not products. That is, host the
solution. Finally, if you really want to solve this using technology,
I would try to use encryption. Perhaps something along the lines of
Zend Guard (http://zend.com/en/products/guard/) in the PHP world.
Best regards, Ricardo
On Nov 27, 4:49 am, Ben J. [email protected]
Brian H. wrote:
In business, people will try to take advantage of you if you let them.
If you’ve done all the work and the client has the end results, why
should he pay you?
Rather, in any situation some people will try and exact as much for
themselves as quickly as possible without regard to others, or even
their own long-term, interests. However, these people are very much in
the minority. Human society, and business interaction is but one facet
of social interaction, would not function if even a significant minority
of its members behaved in the fashion described above. They exist, yes,
but not in any great number.
If people are taken advantage of to the extent that they feel it
necessary to bobby-trap their products then they are not demonstrating
any great discrimination in the jobs that they take. Perhaps their
choice is driven by pressing economic circumstance but what needs to be
addressed is ones willingness to enter into unequal relationships and
not formulating methods of exacting revenge when this becomes evident.
A contractor can usually get a very good sense of the type of people
that they are dealing with by doing a credit check on them. If the
client is not worth bothering with then rarely will you be the first
supplier that they have stung. The $50-100.00 spent is well worth the
investment.
It really wasn’t meant to be a deep question. Whether you like it or not
this world is full of scumbags. A lot of time projects deal with more
than just money, such as equity, or stipulations based on the success of
the project. Things that occur after the project has launched. I
understand that a solid contract is the best method for making sure you
get what you are entitled too, but sometimes turning off the project is
a quicker means of getting their attention and being treated fairly.
Put yourself in that situation. You were promised X dollars if the
project reached a certain success point. It reached that point and you
got no money. You could wait a year to get your money or you could
probably get it in the next week if you turn the project off. What would
you prefer?
What you’re asking about is unethical. Even if you don’t get paid, it’s
unethical, and probably illegal if they own the server.
Never deliver a product without receiving compensation. Half-down before
you
start, remainder when they approve the project. Only after approval does
it
go on their servers. Set up your own servers for them to review, or
build in
the cost of a VPS from linode.com into the contract so you can stage
their
stuff. There are lots of options.
In business, people will try to take advantage of you if you let them.
If
you’ve done all the work and the client has the end results, why should
he
pay you?
On Nov 27, 2007 12:49 AM, Ben J. [email protected]
Ben J. wrote:
It really wasn’t meant to be a deep question.
I submit that contemplating a destructive, and potentially illegal, act
is a very deep question that requires a very carefully considered
answer.
Put yourself in that situation. You were promised X dollars if the
project reached a certain success point. It reached that point and you
got no money. You could wait a year to get your money or you could
probably get it in the next week if you turn the project off. What would
you prefer?
This begs the question of what was promised and how it was to be
measured. Whenever one is working with independent contractors there
are risks assumed on both sides that neither may have given much thought
to.
One can liken the situation of web app design to that of home
renovation. As a home owner you run a risk of spending money for shoddy
or incomplete work. As a contractor you run the risk of dealing with a
high maintenance client that does not have a clue about what will
satisfy their desires. Sometimes these risks create conflict and anger,
but coming back in the middle of the night and tearing off someones roof
is simply not to be contemplated, no matter what the rights and wrongs
of th dispute.
You are wrong because to put the roof back on would take as much work as
it took to put it there in the first place. Software can essentially
have an on / off switch. I could have what took months to complete up
and running in minutes.
It is not unethical at all, keep in mind that you are the one that is
owed money. At the point of “self destructing” the software you are
certain that you are being screwed. It’s not something I would do on a
hunch. I would be 100% certain that my client is trying to screw me.
This is a last end all option.
Everyone has their own way of dealing with problems, leave that to the
person. This thread was not meant to become a lecture on morals. I just
wanted to simply know the best method for self destructing my project.
Let’s try another scenario. Let’s say I build a rails project for a
client of mine. Now they are using this project to take over the world.
In order for me to save the world I must self destruct my project. How
would I do this?
Ben J. wrote:
Put yourself in that situation. You were promised X dollars if the
project reached a certain success point. It reached that point and you
got no money. You could wait a year to get your money or you could
probably get it in the next week if you turn the project off. What would
you prefer?
The largest single hit that I ever took was for 16k in 1998. I took the
legal route and discovered that enforcing the contract would cost
between 10 and 25k. SO I ate it. In that case a credit check would have
revealed nothing because the cause of the dispute was personal antipathy
towards me by a principle of the firm. However, I must say that I
never once thought about trashing the the work that I had performed.
Oh for goodness sake, just answer the question…
I think that relying on the application to be able to delete itself is
too dependant on things that you don’t have any control over (file
ownership/permissions being the key here). I’m also leery of the
legal aspects of deleting something (even if it is stolen software) on
someone else’s machines.
If you are intent on being able to “turn off” your code there are two
things that jump out at me right away…
-
Add some kind of “software key” to your application… it could be
a table with “authorization” and “expiration” columns, or a file in
config/ or something like that. Check for that somehow (before_filter
on all/key controllers?) and if the authorization has expired,
redirect to a “Your licence to use reallycoolwebapp 2.0 has expired”
When they pay in full you can either grant a licence that never
expires, or just turn off the licence check totally.
-
Add some kind of “call home” mechanism to the application, so that
on a regular basis the app checks with you to make sure it can still
be run. You maintain a webserver that chucks out an XML file (or
something) that grants the app permission to continue running. If the
client refuses to pay, you revoke the licence on your end, and
reallycoolwebapp 2.0 is turned off for them.
As a non-compiled language, anything you try to do risks being found/
disabled by the client. #2 might be slightly more resilient to that,
but I would imagine that someone could just turn off the entire
checking mechanism without too much work. You could try hiding it in
your own plugin, that might make it a little more obscure. However
doing #2 requires that you keep that server up forever…
If I were to do either of the above options (or anything else like
this)
On Nov 27, 2007 1:50 PM, Ben J. [email protected]
wrote:
Let’s try another scenario. Let’s say I build a rails project for a
client of mine. Now they are using this project to take over the world.
In order for me to save the world I must self destruct my project. How
would I do this?
:~) I love it!
When you get it figured out, will you release it as a plugin?
I feel this approach is pointless. A client can always mine your code
and remove your ‘self
desctruct’ sequence. Anyone who is out to screw a developer is going to
be on guard (paranoid)
because they know their days are numbered.
– Long
http://MeandmyCity.com/ - Find your way
http://edgesoft.ca/blog/read/2 - No-Cookie Session Support plugin
----- Original Message -----
From: “Ben J.” [email protected]
To: [email protected]
Sent: Tuesday, November 27, 2007 1:50 PM
Subject: [Rails] Re: Self destruct your application?
You are wrong because to put the roof back on would take as much work as
it took to put it there in the first place. Software can essentially
have an on / off switch. I could have what took months to complete up
and running in minutes.
[snip]
Ben J. wrote:
Basically I could access a URL with a password, other identification,
etc. and rails would basically delete itself. If I’m doing this through
apache I’m assuminng rails would be run under the apache user, so if I
ran rm -rf RAILS_ROOT would this work?
That is highly unprofessional and probably illegal. How do you think
your customer will react if he finds that you have implemented a
sabotage mechanism in his application?
The majority of the responses (including yours) seem to say “it is not
worth doing since the client
can get around it”. I dont see how that is not a valid answer…
– Long
----- Original Message -----
From: [email protected]
To: “Ruby on Rails: Talk” [email protected]
Sent: Tuesday, November 27, 2007 2:25 PM
Subject: [Rails] Re: Self destruct your application?
things that jump out at me right away…
on a regular basis the app checks with you to make sure it can still
doing #2 requires that you keep that server up forever…
– Longhttp://MeandmyCity.com/- Find your wayhttp://edgesoft.ca/blog/read/2- No-Cookie Session
Support plugin
Andreas S. wrote:
Ben J. wrote:
Basically I could access a URL with a password, other identification,
etc. and rails would basically delete itself. If I’m doing this through
apache I’m assuminng rails would be run under the apache user, so if I
ran rm -rf RAILS_ROOT would this work?
That is highly unprofessional and probably illegal. How do you think
your customer will react if he finds that you have implemented a
sabotage mechanism in his application?
I dont really care what he thinks, keep in mind this guy is screwing me.
Meaning he is doing something to me so wrong and illegal that it’s worth
doing this. I also checked with an attourney and it’s not illegal. It’s
similar to a car company repossessing your car. He got something he
didn’t pay fully for, you are taking it back.
Why not just start a smear campaign against this person/company. If this
app is for a company that wants to get their services out to a wide
group of people why not make it known that you built this app for them
and they didn’t pay for it and ask the question of “Do you really want
(as a consumer) to engage in business practices with someone that
behaves like this?” In the end you may prevent enough people from doing
business with them that they may regret not paying because in the end
they would have lost more in lost business because they didn’t pay then
if they did. If legal action doesn’t work and I would hope that ethical
sensibility would always prevail, then you have to hope that public
opinion will succeed.
Ben J. wrote:
Andreas S. wrote:
Ben J. wrote:
Basically I could access a URL with a password, other identification,
etc. and rails would basically delete itself. If I’m doing this through
apache I’m assuminng rails would be run under the apache user, so if I
ran rm -rf RAILS_ROOT would this work?
That is highly unprofessional and probably illegal. How do you think
your customer will react if he finds that you have implemented a
sabotage mechanism in his application?
I dont really care what he thinks, keep in mind this guy is screwing me.
I’m not talking about the sabotage itself, but about the inclusion of a
sabotage mechanism. You would have to do that before you knew whether he
is screwing you.
It’s similar to a car company repossessing your car.
It’s more similar to a car rental company installing a block of C4 with
a timer under the hood.
Again, since this is software (digital information) and a non-compiled
language, only encryption might work…
Best regards, Ricardo
On Nov 28, 12:42 pm, Ben J. [email protected]
Been there and it sucks.
I am a passionate programmer so I will put code in for free just because
I love it.
But when its time for the customer to pay and he doesn’t, but still
continues to use youre product where you put tons of hours in, you feel
it in your gut every time that website ist still up.
Trust me on that.
So if you have a feeling in the first place you are gonna be screwed,
walk away !
If youre not sure but want the deal built that code that will nuke it
into orbit when needed.
Yep, I am still pissed writing this down and thinking about that ass*le.
What have I learned?
Serve the app yourself.
When they pay you give them the code.
A little cool trick I did with 1.1.6 ( wow thats old ) was the
following.
Don’t know if it still works.
But it was just simple deployment.
sudo script/server -d
Now in production all the controller code was loaded.
So I just fired up textmate and deleted the controller code.
Worked like a charm.
Eventually the f*cker restarted his Mac and he was screwed
As for file backups, that is relatively easy to get around. Have all
the data in subversion EXCEPT one critical file. For the project that
I’m on right now, that would be the post-checkout script. That script
is run-once per checkout, so if I were concerned, I would keep it off
the hard drive. Have capistrano tunnel back to run the script. Have
a phone-home action that deletes a bunch of files if it fails.
Specify that their rights to the software expire if payment is not
prompt. Test everything. Sleep well.
Me? I’m on salary. 