Forum: Ruby on Rails Code security

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Fa00616b4d499dc40d7c7bc713bede3c?d=identicon&s=25 Chris (Guest)
on 2006-01-28 15:41
I've just created a rails application for a friend's business.
I'm going to place the application onto one of his computers so he can
access it from within his network.

What can i do to make sure he cannot read/edit the code? I can't see
what i can do. Its on a windows xp machine and he has full admin rights.
He's not an expert PC user so the solution doesn't have to be fully
secure, it just needs to be hard for him to access.  It's really
important that he doesn't read the code

Anyone any ideas what i can do??? any help would be really appreciated!!

Thanks,
Chris
6661ef9d747db3af8896cd94959d717d?d=identicon&s=25 Paul Barry (Guest)
on 2006-01-28 15:53
(Received via mailing list)
If he has admin rights to the machine where the code is installed, I'm
pretty sure it's not possible for you to prevent him from read/editing
the
code.  It think the only solution we be to put the code on a machine
that he
doesn't have administrator/root access to.
B79f6edafee26860eb2ef239558bf8dc?d=identicon&s=25 Lee Pope (Guest)
on 2006-01-29 21:29
(Received via mailing list)
I acree with Paul, but version control is your friend here. If you allow
him
read-only access to your repository, and give him a working copy, you
can
track and roll back his changes easily in the event of an 'accident'.

Lee
119af50160cabfe1fb6f2f05f5018c64?d=identicon&s=25 James Ludlow (Guest)
on 2006-01-29 21:35
(Received via mailing list)
On 1/28/06, Chris <eggman123444@gmail.com> wrote:
> It's really important that he doesn't read the code

Why?

This seems like there's something else going on.
Ff82af3238a57fbd1212832ec1a19f28?d=identicon&s=25 Dylan Stamat (Guest)
on 2006-01-29 21:53
(Received via mailing list)
+1 on James comment.  Why wouldn't you want him to "read the code" ?
7a28bf7b0932a9486c21f1a33eb431ba?d=identicon&s=25 Tom Lieber (Guest)
on 2006-01-29 23:24
(Received via mailing list)
On 1/29/06, Dylan Stamat <dylans@gmail.com> wrote:
> +1 on James comment.  Why wouldn't you want him to "read the code" ?

So that it doesn't become theirs. I'm sure open source software would
be much better if you could open any binary in an editor and see the
original code, due to the same 'borrowing' that Chris probably doesn't
want to happen. That it's hard to obfuscate programs written in
interpreted languages is why I haven't bothered trying to sell any of
them, anyway.

Sincerely,

Tom Lieber
http://AllTom.com/
http://GadgetLife.org/
Cd8c9864d88bcafc164d8fdb820cc451?d=identicon&s=25 Chris (Guest)
on 2006-01-30 02:05
Here are instructions to package your rails app as an EXE!! it seems to
work like a charm.

It solves my problem of anyone borrowing my code!

http://www.erikveen.dds.nl/distributingrubyapplica...
58479f76374a3ba3c69b9804163f39f4?d=identicon&s=25 Eric Hodel (Guest)
on 2006-01-30 02:55
(Received via mailing list)
On Jan 29, 2006, at 5:05 PM, Chris wrote:

> Here are instructions to package your rails app as an EXE!! it
> seems to
> work like a charm.
>
> It solves my problem of anyone borrowing my code!
>
> http://www.erikveen.dds.nl/distributingrubyapplications/
> rails.html#2.1.0

That only makes it more difficult to access the ruby files, not
impossible.  A debugger could pull them out of memory with a bit of
work.

You really want a Ruby obfuscator like ZenObfuscator.

--
Eric Hodel - drbrain@segment7.net - http://segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com
8e44c65ac5b896da534ef2440121c953?d=identicon&s=25 Ezra Zygmuntowicz (Guest)
on 2006-01-30 03:07
(Received via mailing list)
On Jan 29, 2006, at 5:05 PM, Chris wrote:

>
Chris-

	Note that when you package and app that way it is only providing
minimal security. When your user double clicks on the exe file the
rubyscript2exe will just uncompress your code into a temp dir. So it
will still be available in plain text on the system after it gets run
once.


Cheers-
-Ezra Zygmuntowicz
WebMaster
Yakima Herald-Republic Newspaper
ezra@yakima-herald.com
509-577-7732
F3dc06f587d1ff4c7366b102bfda9204?d=identicon&s=25 David Mitchell (Guest)
on 2006-01-30 03:34
(Received via mailing list)
Agreed, but unless the person with your code has a fairly significant
reason to try to extract the source (e.g. you're trying to gouge him
on price for maintenenace work later on, or he needs some work done
and you've just been run over by a bus), >90% of people would see the
EXE file and not bother trying to extract the code.

If someone *really* wants to pull apart your code, it's very difficult
to hide it without going to extraordinary lengths.  Even compiled
languages can be decompiled into something vaguely like the original
source - at least to the point that it could be changed and recompiled
by someone with sufficient determination.  For apps that could fall
into this category, I just deploy them on a Web server that I control
and give the users access to it.

rubyscript2exe is a really nice way to deploy apps to customers, by
the way - nothing like being able to give out a single EXE file that
*is* the app, rather than sending 3 BAT files, 13 EXEs, 123 DLLs, 4
XML files, ... and then finding your customer doesn't have Winzip to
unpack it all!

Regards

Dave M.
5f3d7eb9e9314f4eb94b4040cee4d8d2?d=identicon&s=25 Vince Puzzella (Guest)
on 2006-01-30 04:34
(Received via mailing list)
What's wrong with people borrowing your code?  You're 'borrowing' rails.
:)
42292bf8a0acbc98862d9306b501275d?d=identicon&s=25 Daniel Waite (rabbitcreative)
on 2006-01-30 04:52
(Received via mailing list)
Get a host that supports Rails and throw it up there. Problem solved. =P

- Rabbit

---
F3dc06f587d1ff4c7366b102bfda9204?d=identicon&s=25 David Mitchell (Guest)
on 2006-01-30 04:58
(Received via mailing list)
I'm guessing that's meant to be a rhetorical question, but if not:
- my code is *mine*, and I'll share it around as I see fit.  I may
choose to GPL it, or I may release it under some other open source
licence, or I may not; either way, it's *my* choice who sees *my* code
- I may have wrapped some proprietary algorithm (that I myself own) in
my code, and I don't want other people to see it.  For example, the
algorithm may have a pending patent application, in which case I won't
want to have it seen unless/until the patent is granted
- I may charge money for people using my code (a la Microsoft), and
having them be able to see the source might compromise my income
- there may be unimplemented functions or other cruftiness in my code,
so while I'm happy for people to use it in its present state, there
may be a personal/professional integrity issue that I don't want to
face if/when people start digging around inside it
- I might want to sell support/maintenance services surrounding my
code, and therefore giving people access to do this themselves would
jeopardise my income
- there may be other issues relating to the "hidden-ness" of my source
code that make obscuring it a good thing.  For example, having
observed some of it personally, I wouldn't be at all happy if banks
started releasing the source code for their Internet banking
applications to all and sundry.  Sure, they might eventually wind up
with a more secure application after the public trawled through their
code, identified bugs and fixed them, but would there be any money
left in the safe by the time that happened?
- I might have stolen other peoples' source code and cut/pasted it
into my app, and I don't want those affected to find out about it.
No, I can't think of anyone who would ever do this, so scratch it as a
possibility...
- I might have reused some old source code in my new application.  If
the old source code was written under contract to some other customer,
who then purchases it in its entirety, I'm not allowed to reuse it
(subject to local laws and interpretations).  While every coder worth
his/her salt reuses their old code all the time, in some circumstances
it might pay to be discrete about it

Just because the good people who created Rails are happy to have its
source shared around, doesn't mean that everyone else feels they
should act the same way, at all times.

Regards

Dave M.
55428cbf149e35dd4b65f1d019d04139?d=identicon&s=25 Matthew Palmer (Guest)
on 2006-01-30 06:02
(Received via mailing list)
On Mon, Jan 30, 2006 at 02:57:52PM +1100, David Mitchell wrote:
> I'm guessing that's meant to be a rhetorical question, but if not:
> - my code is *mine*, and I'll share it around as I see fit.  I may
> choose to GPL it, or I may release it under some other open source
> licence, or I may not; either way, it's *my* choice who sees *my* code

Who said anything about releasing the code under a FOSS licence?

> - I may have wrapped some proprietary algorithm (that I myself own) in
> my code, and I don't want other people to see it.  For example, the
> algorithm may have a pending patent application, in which case I won't
> want to have it seen unless/until the patent is granted

Better treated as a contractual/trade secret issue than a code
obfuscation
one.

> - I may charge money for people using my code (a la Microsoft), and
> having them be able to see the source might compromise my income

Better treated as a contractual issue than a code obfuscation one.

> - there may be unimplemented functions or other cruftiness in my code,
> so while I'm happy for people to use it in its present state, there
> may be a personal/professional integrity issue that I don't want to
> face if/when people start digging around inside it

I think that allowing your customers to see what sort of a programmer
you
are would be a brilliant reason to open up your code -- if not for your
benefit, then for theirs.

> - I might want to sell support/maintenance services surrounding my
> code, and therefore giving people access to do this themselves would
> jeopardise my income

Better treated as a contractual issue than a code obfuscation one.

> - there may be other issues relating to the "hidden-ness" of my source
> code that make obscuring it a good thing.  For example, having
> observed some of it personally, I wouldn't be at all happy if banks
> started releasing the source code for their Internet banking
> applications to all and sundry.  Sure, they might eventually wind up
> with a more secure application after the public trawled through their
> code, identified bugs and fixed them, but would there be any money
> left in the safe by the time that happened?

I don't know about you, but I've not yet had an opportunity to run my
bank's
Internet banking application on my own servers.  You must have a
particularly interesting bank there.

> - I might have stolen other peoples' source code and cut/pasted it
> into my app, and I don't want those affected to find out about it.

Gee, that's a quality reason.

> - I might have reused some old source code in my new application.  If
> the old source code was written under contract to some other customer,
> who then purchases it in its entirety, I'm not allowed to reuse it
> (subject to local laws and interpretations).  While every coder worth
> his/her salt reuses their old code all the time, in some circumstances
> it might pay to be discrete about it

This seems closely related to the previous reason.

> Just because the good people who created Rails are happy to have its
> source shared around, doesn't mean that everyone else feels they
> should act the same way, at all times.

Considering that the best two reasons given appear to relate to covering
up
illegal activities, I'm not sure that your arguments are looking pretty
thin.
I guess, though, that if you spend your time misappropriating other
people's
code, you assume the same mindset in others.

AFAIK, there's nothing that will effectively obfuscate Ruby code from a
determined person at this time.  All of the "ruby into .exe" converters
are
quite useful for simple deployment, but not for obfuscation purposes.
Consider it a marketing benefit that your customers have the sourcecode
(call it "future-proofing" or whatever -- most people in business have
had a
problem with a software vendor disappearing underneath them).

- Matt
F3dc06f587d1ff4c7366b102bfda9204?d=identicon&s=25 David Mitchell (Guest)
on 2006-01-30 06:48
(Received via mailing list)
OK, I should've said up front that I don't pinch other peoples' code,
nor do I have a problem with people seeing my sometimes-crappy code.
However, other people do.

My points still stand, however: the choice of how to distribute code
should be left to the author; code obfuscation has its place, although
I agree it's not a great standalone security solution; people *do*
misappropriate others' code, or re-use code they've written and then
sold, and don't want to highlight it.  With all due respect, *any* of
these would be sufficient reason for someone to choose to not publish
source.  Witness the reluctance of some companies to release code
they've *borrowed* that was under the GPL, which they're then obliged
to make available along with their changes - there's been a sizeable
number of these issues discussed in Slashdot over the past few years.

Even with one of the most powerful (not to mention busiest) legal
teams around, Microsoft doesn't release all their source code and then
rely on binding contracts as a way of protecting their IP assets.
Ditto Oracle, and any number of other commercial software companies.
If *they* don't release their code, that's good enough reason in
itself for a lot of people to follow suit.

Finally, as far as Internet banking apps go - no, I don't run these
apps at home.  However, I have previously been employed as a
consultant to test Internet banking code for several banks, and in
*every* case the commercial imperative to "get it out there" has
eventually superceded testing that's shown up flaws in the
application.  Shock, horror - even Internet banking apps get deployed
when there are still known defects.  To some extent, banks quite
definitely rely on the fact that others can't see their source, but
also on other levels of security (e.g. firewalls, encryption, etc.).
I'm fairly confident that, given full access to the source for one of
these apps, someone would eventually be able to drain money from other
peoples' accounts without their knowledge, simply because the
processes used to develop/test/remediate the code don't work
perfectly.  I'm also confident that the banks would gain very little,
if anything, as compensation in terms of improved security by
releasing their source.

Anyway, this is all getting way off the original topic, which related
to one guy wanting to protect his source from his customer, and which
has (presumably) already been answered earlier in this thread to his
satisfaction.  Sorry if I wasted everyone's time on trying to list
reasons why someone might not want to release their source, which was
a bit of a tangent to the original query.

Regards

Dave M.
42172acdf3c6046f84d644cb0b94642c?d=identicon&s=25 Pat Maddox (pergesu)
on 2006-01-30 07:00
(Received via mailing list)
On 1/29/06, Matthew Palmer <mpalmer@hezmatt.org> wrote:
> > having them be able to see the source might compromise my income
>
> Better treated as a contractual issue than a code obfuscation one.

All I know about trade secret issues is the result of a 20 minute
convo in my very first CS class, so take this with a jar of salt :)

>From what I remember, trade secrets are only legally protected if
they're practically protected first.  Meaning you have to exert the
effort to protect your trade secret, you can't just be haphazard about
it and expect the law to take care of you.  I imagine that
distributing your code along with the software is easily interpretted
as not protecting it.  "Uh, if it's so important that nobody
alter/copy it, why did you give it out?"  Now that there are code
obfuscators and compiled languages, there really is no excuse to pass
out clear text source code if you want to protect it.  It may not be
possible with Ruby yet, but I'm willing to bet a lot of
unsophisticated arbiters/judges would say, "Okay if you can't do it in
this language, why'd you write the code in it?"

I know that IP is of course protected under open source licenses.
Perhaps it's semantics, but I think it's rather foolhardy to
distribute your source code and expect it to be considered a trade
secret.

Finally, I'm a huge fan of open source, but I completely understand
why many companies/developers choose not to go that route, and have
absolutely no problem with it.

Pat
42292bf8a0acbc98862d9306b501275d?d=identicon&s=25 Daniel Waite (rabbitcreative)
on 2006-01-30 07:12
(Received via mailing list)
LOL! Dude, SO much discussion for this. You'd solve your freaking
"problem" if you just got a HOST. You know, a "web site" where you can
throw your app on and let the client use it without seeing the code.

Here look! I'll even point you to a couple:

<a href="http://rimuhosting.com/">Rimu Hosting - quality VPS starting
at $20/mo</a>
<a href="http://www.pipespring.com/">Pipe Spring - shared VPS starting
at $11/mo</a>

Or if you're strapped for cash...

<a href="http://www.asmallorange.com/">A Small Orange - $5/mo shared
hosting!</a>

Make your app live and get on with your life.

- Rabbit

---
Ad7805c9fcc1f13efc6ed11251a6c4d2?d=identicon&s=25 Alex Young (Guest)
on 2006-01-30 09:10
(Received via mailing list)
Rabbit wrote:
>
> Or if you're strapped for cash...
>
> <a href="http://www.asmallorange.com/">A Small Orange - $5/mo shared
> hosting!</a>
>
> Make your app live and get on with your life.

Except that won't work from a sealed intranet.  Under those
circumstances, you *may* get somewhere giving them a black box to plug
in under their desk, or you may not.
55428cbf149e35dd4b65f1d019d04139?d=identicon&s=25 Matthew Palmer (Guest)
on 2006-01-30 12:13
(Received via mailing list)
On Sun, Jan 29, 2006 at 10:59:10PM -0700, Pat Maddox wrote:
> > > - I may charge money for people using my code (a la Microsoft), and
> > > having them be able to see the source might compromise my income
> >
> > Better treated as a contractual issue than a code obfuscation one.
>
> All I know about trade secret issues is the result of a 20 minute
> convo in my very first CS class, so take this with a jar of salt :)
>
> >From what I remember, trade secrets are only legally protected if
> they're practically protected first.

Jar taken.  "Effectively protected" includes such things as "customer
signs
contract saying 'this software contains trade secrets and you are
required
to keep them that way'".  Otherwise, how would you protect your trade
secrets in areas other than software design -- there's no English
Obfuscators (despite the content of most web forums as being apparent
evidence to the contrary <grin>).  The rules regarding "effective
protection" are meant to stop people from putting up billboards and then
suing anyone who looks at them.

> out clear text source code if you want to protect it.  It may not be
> possible with Ruby yet, but I'm willing to bet a lot of
> unsophisticated arbiters/judges would say, "Okay if you can't do it in
> this language, why'd you write the code in it?"

You may be confusing trade secret law with the TPM provisions in
DMCA-style
copyright laws.  Part of the problem with the whole lumping together of
several very different areas of law under the banner of "Intellectual
Property" is this confusion that people have when talking about them.
Trade
Secrets are a whole world of their own, completely different from
Copyrights, which are totally different to Patents and Trademarks.
There
are little-to-no commonalities between them.

> I know that IP is of course protected under open source licenses.
> Perhaps it's semantics, but I think it's rather foolhardy to
> distribute your source code and expect it to be considered a trade
> secret.

You're not putting your source on the Internet for all to download --
you're
distributing it to your paying customers after the execution of a
suitably
binding contract -- two very, very different things.  They can even have
some level of "Open Sourceness" about it, too -- a sunset clause that
states
that, in the event that you go out of business / are unwilling to
provide
further support, the whole thing falls under the GPL for anyone to
maintain.
Keeps everybody happy.

There's this widespread confusion that "giving people the source" means
"giving them the source under an Open Source licence".  It isn't.  Way
back
in the day, that's how just about all software was provided -- you got a
copy of the source on huge tapes, and you compiled it on your machine
(which
was, of course, different to every other machine).  You used to get a
copy
of the source for Unix, 6th edition, for instance, for US$140,000 --
which
entitled you to run it on one machine (but with as many users as you
could
fit on a PDP-11 -- what a bargain!).

> Finally, I'm a huge fan of open source, but I completely understand
> why many companies/developers choose not to go that route, and have
> absolutely no problem with it.

People can try to make money any way they like.  I just prefer it when
everyone is honest about the reasons for their business model.  (Note:
not a
cheap shot at David, just a general statement of "feh" at the
proprietary
software companies, which I'm increasingly disgusted at).

- Matt
E47445b68a7773fc134987c4ed3fd6d9?d=identicon&s=25 Soulhuntre (Guest)
on 2006-01-30 15:45
(Received via mailing list)
Heya :)

> it without seeing the code.
Many, many clients will not let this happen. Many of the clients I deal
with
want to maintain control over as much of their infrastructure as
possible
hardware wise and they are so not going to put something critical on a
server that isn't in their full control or part of their existing
managed
leased space.

Soulhuntre
----------

http://www.girl2.com  - my girls
http://www.the-estate.com  - my legacy
http://wiki.thegreybook.com - my project
http://weblog.soulhuntre.com - my thoughts
C8a634a01a2c4508360874bff7fb1a7f?d=identicon&s=25 Kevin Olbrich (olbrich)
on 2006-01-30 16:54
One idea that could be used to protect certain key algorithms without
shoving the entire application onto a web server would be to set up a
web service to handle certain critical procedures and then return the
result.

Obviously there are limitations here, for one, the webserver would not
have full access to your data tables, so you would need to extract any
needed data and then transmit that to the web server (this could also be
a security issue).

Properly done, you could provide the end user with almost all of the
code while still holding onto key technology.

This is not a substitute for a good contract.

_Kevin
This topic is locked and can not be replied to.