On Thu, Sep 13, 2012 at 10:33 PM, Andy Bradford <[email protected]> wrote: > Thus said "S. Dale Morrey" on Thu, 13 Sep 2012 22:26:21 MDT: > >> It's b, sorry if I wasn't clear. I'm giving some files to someone for >> review. I don't want these to become distributed since they contain >> secret sauce recipes and if they leak I want to be able to blame the >> correct person. > > Automatically generate every piece of your code. The function names > should be generated as well as variable names. Make the function names > look non-random. Then, give out a different, randomly generated copy of > the code to the various parties and keep track of which party received > which randomly generated version of the code. > > Would this work?
In theory, yes, in practice, no :) Obfuscated code is *really* hard to review--thus defeating his goal. This topic was kind of on slashdot just the other day--about the new gimmick McAfee has for controlling photo distribution on facebook. It's really simple: if you don't want something distributed, you can't let it out of the bag. That being said, you don't have many options to *guarantee* anything. Your best bet is to require them to view the code in *your* house, under your supervision and control, w/o any means to copy it. Once they do have the source code in their possession, they could modify it as they see fit--how could you prove that they are distributing binaries employing your secret algorithms? At the very least you need a solid NDA in place that has severe penalties for breach. Which leaves me back at your original dilemma--how to at least detect a breach? That may require understanding your product/codebase/situation--who is the reviewer and why are they seeing your code? It's still probably intractable. It's hard enough (really not possible) to even protect *binaries* from being distributed. (Some attempt to use dongles, but they can *all* be circumvented, others use network-access-DRM--e.g. Ubisoft). *Source code* however, is truly a Pandora's box. Also, just how "secret" is your code? Is it really that novel? I know lots of employers that think the code they've paid for is worth protecting, when it's really just glue that's been written time and again by every web shop on the planet. I'm not saying yours isn't--I don't know--but egos aside, is it really? And if it really is, how much effort would be involved in monetizing it? How much supporting infrastructure, customer base, etc would they have to build up that would be serviced specifically by your exact algorithm? IOW, how big is the risk really? Seems (without more details), that if it's easily monetized, it should be easy to detect a breach--go sue for the reparations in the NDA--and if it's not easily monetized, the risk may be low enough to not worry--just get the NDA then let them review it. One last option occurs to me: can you remove your secret sauce and replace it with stubs in the review copy? Or are they specifically reviewing your secret sauce? /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
