RE: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
On Mon, 13 May 2002, SHEETS,JASON (Non-HP-Boise,ex1) wrote: Yes even if you take some steps to protect your code it may still be distributed, but it WILL be distributed if you don't. Think about security, as a sysadmin I can't just not apply security updates, you apply every security update you can even though someone a determined cracker can still get into your box you eliminate most of the script kiddies. Just because you can circumvent something does not mean it is not worth doing, there is a trade off, security and usability to make something completely secure you make it completely unusable you need to find a middle ground with your systems and your code. As far as banks being robbed, yes they may be robbed but we still lose less money than if left the vault unlocked and just told people to help themselves. The situations are not analogous. Putting locks on a bank vault increases the amount of time it takes to get in, which increases the risk to the robber. This is a powerful disincentive, and leads robbers to choose other banks instead of yours. Also, after someone does manage to get through all your vault locks, the next person who wants to break into the bank still has to go through all the work again. Putting locks on software, on the other hand, doesn't increase any risk. It may increase the challenge, but for many crackers, this is the number one incentive anyway. And once one person has broken it, it's as good as broken everywhere. So the return for effort/expense is much lower. The time is better spent writing more software for more clients. Or finding better, more honest clients. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
Well I've never tried it but I've gone through some of the big open source apps out there trying to learn their techniques and I can tell you I hate going through my code let anyone someone else's. -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: May 14, 2002 2:55 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection Step 1: Run the files through a prettyprinter. That instantly restores the indentation and line breaks. Step 2: Open up in a text editor like TextPad that has multi-file search-and-replace and rename all the functions back from their garbled names as you determine what they do. Unless it was written to be confusing from the very beginning - in which case an awful lot of development time was wasted - it'll be very easy to do this. Just start from the functions with the greatest number of calls to PHP built-in functions and work outward from there. 1 minute or so per 25 lines of working code. Honestly, it's not a big deal. miguel On Mon, 13 May 2002, SP wrote: As an example, someone provided this link on the PHP Obfuscator http://pobs.mywalhalla.net and I'm just quoting what it says it does: POBS replaces user-defined (NOT predefined) functions, constants and variables with a MD5 key of 8 characters ... The first letter of the new functionname is a F, of a variable a V and of a constant a C. The function with name MakeImageHtml is replaced by Fee2c1bdc The variable $ImgText is replaced by $V1d9d94a6 The constant USERDIR is replaced by C389a367e It also concatenate lines and remove comments and indents and so yeah you could spend your time hunting down the killswitch and the 10 other backdoors I put in the prog but what do you end up with? A working app that no coder would even want to maintain or touch. And the good thing is the longer the guy that stiffed you uses the app, the more screwed they will be. -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: May 13, 2002 10:13 PM To: [EMAIL PROTECTED] Subject: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection Well, I promise you that I can re-activate any solely PHP-based remote killswitch in a matter of minutes - maybe hours if the person was really good. It's just too easy when you have the source code for the interpreter. Likewise the only truly effective PHP encoder would be one that created confusion by scrambling all the variable names to be names of my former girlfriends. Anything else is just like working with bad code from a contractor or junior employee - run it through the prettyprinter, open up a Dr. Pepper, and be the PHP interpreter for a while. Coming up with robust code protection is a very very challenging task. You spend a long time working out a scheme, then someone figures it out, and you have to start over again - everything protected by your previous scheme is now out in the open. Much better to focus on the legal side of it. If you really don't think you're going to be able to police the use of your code, to a degree that piracy is going to cost you more than your time is worth, you should be looking for a new set of clients. miguel On Mon, 13 May 2002, SP wrote: Everyone is arguing that these encoders can be cracked. Does anyone know of one, have you done it yourself? How long did it take? I mean I'm not going to leave my door unlocked cuz someone can pick it open. -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: May 13, 2002 3:29 PM To: Udo Giacomozzi Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection On 13 May 2002, Udo Giacomozzi wrote: If the whole thing is designed the right way. A copy protection I like for example are dongles. Ok, they are not applicable to PHP and aren't 100% secure either [don't want to start a discussion about this now]. But this system makes no problems for the people that have the dongle. That was why first came up with this question. As a PHP beginner I wanted to know if there are elegant ways to make a acceptable copy protection. There seem to be only 3 possibilities: - zend encoder - a code obfuscator like POBS - encrypting the source code and then decrypting it in realtime All of these have weaknesses. And therefore the whole exercise is moot. It only takes one person with some free time to break your protection scheme, and then the cat's out of the bag. Once it has been broken, it will spread and then it won't matter how complex your scheme was. I really doubt there is any software out there that isn't being traded by high-school kids, even if they have no idea what it's for. The only exceptions would be something so arcane and obscure that nobody ever had an interest in cracking
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
But the point is we aren't talking about a HACKER. we are talking about some cheapskate corporate suit who probably doesn't know how to turn his computer on. Most companies have an IT department; but most network admins aren't programmers (some can) and if they had programmers, they wouldn't need to hire you. If they did hire you why not pay you to write the code instead of paying their people to go through the hassle of reverse engineering it. Robert W. Collins II Webmaster New Orleans Regional Transit Authority Phone : (504) 248-3826 Email : [EMAIL PROTECTED] -Original Message- From: Jason Soza [mailto:[EMAIL PROTECTED]] Sent: Monday, May 13, 2002 5:12 PM To: Collins, Robert Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection For what it's worth, it's been my experience that people that have the freetime to hack other people's work find pleasure in hacking other people's work, regardless of the time and talent it takes. If they had the motivation to write their own programs, they'd have a good programming job. Maybe they do anyway, but as it is, they find a hobby in 'exposing security flaws' in other's programs. Jason Soza - Original Message - From: Collins, Robert [EMAIL PROTECTED] Date: Monday, May 13, 2002 2:06 pm Subject: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection This thread was started to discuss how a contract programmer can protecthimself from getting ripped of by an dishonest person or company not every little hacker in the world. SNIP It only takes one person with some free time to break your protection scheme, and then the cat's out of the bag. /SNIP If they had the talent or the free time they would have programmed it themselves because most of the time it takes longer to backwards engineer a program than it does to write it from scratch. Robert W. Collins II Webmaster New Orleans Regional Transit Authority Phone : (504) 248-3826 Email : [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
IMHO The best way as a contractor to protect yourself against dishonest companies or people is a contract. However, there maybe a simple method to programmatically help. Put something like this in the top of each of the pages that have common functions PSUDO CODE if(file_exists(/path/to/file/core_functions.php)){ $core_functions = /path/to/file/core_functions.php; }else{ $core_functions = http://www.domain.com/path/to/file/core_functions.php;; } require_once($core_functions); PSUDO CODE put the common functions in this file and store it on your server. core_functions.php PSUDO CODE function does_somthing { //code here } function does_somthing_else { //code here } function another_function { //code here } PSUDO CODE When you get the final payment you turn over the last file, and they put it in the correct directory. If they don't pay you change the filename and the site stops working. It would be difficult to rebuild the file (although not impossible) because they wouldn't know exactly how the functions worked or interacted with one another. Robert W. Collins II Webmaster New Orleans Regional Transit Authority Phone : (504) 248-3826 Email : [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
I like this idea... Collins, Robert wrote: IMHO The best way as a contractor to protect yourself against dishonest companies or people is a contract. However, there maybe a simple method to programmatically help. Put something like this in the top of each of the pages that have common functions PSUDO CODE if(file_exists(/path/to/file/core_functions.php)){ $core_functions = /path/to/file/core_functions.php; }else{ $core_functions = http://www.domain.com/path/to/file/core_functions.php;; } require_once($core_functions); PSUDO CODE put the common functions in this file and store it on your server. core_functions.php PSUDO CODE function does_somthing { //code here } function does_somthing_else { //code here } function another_function { //code here } PSUDO CODE When you get the final payment you turn over the last file, and they put it in the correct directory. If they don't pay you change the filename and the site stops working. It would be difficult to rebuild the file (although not impossible) because they wouldn't know exactly how the functions worked or interacted with one another. Robert W. Collins II Webmaster New Orleans Regional Transit Authority Phone : (504) 248-3826 Email : [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
Collins, Robert [EMAIL PROTECTED] wrote: Put something like this in the top of each of the pages that have common functions PSUDO CODE if(file_exists(/path/to/file/core_functions.php)){ $core_functions = /path/to/file/core_functions.php; }else{ $core_functions = http://www.domain.com/path/to/file/core_functions.php;; } require_once($core_functions); PSUDO CODE If the code can get core_functions.php from your server, so can they!! A legal agreement is the only way to go. -- Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
From: Stuart Dallas [EMAIL PROTECTED] Collins, Robert [EMAIL PROTECTED] wrote: Put something like this in the top of each of the pages that have common functions PSUDO CODE if(file_exists(/path/to/file/core_functions.php)){ $core_functions = /path/to/file/core_functions.php; }else{ $core_functions = http://www.domain.com/path/to/file/core_functions.php;; } require_once($core_functions); PSUDO CODE If the code can get core_functions.php from your server, so can they!! A legal agreement is the only way to go. Not to mention that if you pull a .php page through HTTP, like you're doing, you're going to get the parsed result, not the PHP code. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
Good point I hadn't thought about that, maybe its time for that second pot of coffee ;) Robert W. Collins II Webmaster New Orleans Regional Transit Authority Phone : (504) 248-3826 Email : [EMAIL PROTECTED] -Original Message- From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 10:00 AM To: Stuart Dallas; Collins, Robert; [EMAIL PROTECTED] Subject: Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection From: Stuart Dallas [EMAIL PROTECTED] Collins, Robert [EMAIL PROTECTED] wrote: Put something like this in the top of each of the pages that have common functions PSUDO CODE if(file_exists(/path/to/file/core_functions.php)){ $core_functions = /path/to/file/core_functions.php; }else{ $core_functions = http://www.domain.com/path/to/file/core_functions.php;; } require_once($core_functions); PSUDO CODE If the code can get core_functions.php from your server, so can they!! A legal agreement is the only way to go. Not to mention that if you pull a .php page through HTTP, like you're doing, you're going to get the parsed result, not the PHP code. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
On Tuesday 14 May 2002 23:00, 1LT John W. Holmes wrote: From: Stuart Dallas [EMAIL PROTECTED] Collins, Robert [EMAIL PROTECTED] wrote: Put something like this in the top of each of the pages that have common functions PSUDO CODE if(file_exists(/path/to/file/core_functions.php)){ $core_functions = /path/to/file/core_functions.php; }else{ $core_functions = http://www.domain.com/path/to/file/core_functions.php;; } require_once($core_functions); PSUDO CODE If the code can get core_functions.php from your server, so can they!! A legal agreement is the only way to go. Not to mention that if you pull a .php page through HTTP, like you're doing, you're going to get the parsed result, not the PHP code. That's exactly what you need :) Have some core functions that are remotely accessed. for example: $result = file(http://www.myserver.com/functions/square_root.php?input=4;); Then at www.myserver.com the square_root.php file would contain: ? echo sqrt($input); ? Does anyone see any flaws in this? -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* We'll cross that bridge when we come back to it later. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
[snip] That's exactly what you need :) Have some core functions that are remotely accessed. for example: $result = file(http://www.myserver.com/functions/square_root.php?input=4;); Then at www.myserver.com the square_root.php file would contain: ? echo sqrt($input); ? Does anyone see any flaws in this? As long as you realize that any method like this is just going to be retrieving a string, basically. You don't get any PHP code back, you just get the results of the PHP code. So in your example, you get a one dimensional array with $result[0] = 2. I don't see any benifit of doing it this way. What do you expect to recieve back that they can't duplicate on their end? Whatever you recieve back is probably going into an IF statement, so they just remove the condition and say if(1), or put their own condition in... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
On Tue, 14 May 2002, Collins, Robert wrote: $core_functions = http://www.domain.com/path/to/file/core_functions.php;; require_once($core_functions); 1) You'd have to eval() it rather than requiring it. 2) lynx -source -dump http://www.domain.com/path/to/file/core_functions.php core_functions.php 3) As in Jason's somewhat more effective example, it's slow. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
- Original Message - From: Miguel Cruz [EMAIL PROTECTED] On Tue, 14 May 2002, Collins, Robert wrote: $core_functions = http://www.domain.com/path/to/file/core_functions.php;; require_once($core_functions); 1) You'd have to eval() it rather than requiring it. I don't think you can eval() a remote file. 2) lynx -source -dump http://www.domain.com/path/to/file/core_functions.php core_functions.php All this will do is return you the HTML generated by the PHP file, which will be empty, probably, if this is a file of function declarations. 3) As in Jason's somewhat more effective example, it's slow. Could you imagine if this worked? You could include code from anyone's PHP server. Someone please correct me if I've just got this all wrong. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
On Tue, 14 May 2002, 1LT John W. Holmes wrote: - Original Message - From: Miguel Cruz [EMAIL PROTECTED] On Tue, 14 May 2002, Collins, Robert wrote: $core_functions = http://www.domain.com/path/to/file/core_functions.php;; require_once($core_functions); 1) You'd have to eval() it rather than requiring it. I don't think you can eval() a remote file. I didn't provide code, but the idea was that you'd read the remote file into a string and then eval it. Though, now, upon reading the documentation for include(), I see that you can just do that without all my eval nonsense. 2) lynx -source -dump http://www.domain.com/path/to/file/core_functions.php core_functions.php All this will do is return you the HTML generated by the PHP file, which will be empty, probably, if this is a file of function declarations. Yes, fair enough, in order for the above (eval / require) to work as described, the server would have to be willing to hand you the PHP source. Which, in many cases, wouldn't happen with a .php suffix. Anyway, the point is that anything that you can require() or include() or whatever off a remote server, can also be fetched with other tools for leisurely inspection and duplication. 3) As in Jason's somewhat more effective example, it's slow. Could you imagine if this worked? You could include code from anyone's PHP server. Someone please correct me if I've just got this all wrong. Jason's example was just a slightly ornate form of RPC. I don't see any reason why it wouldn't work, I just think it introduces performance problems and failure points and therefore isn't an optimal solution. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
On Wednesday 15 May 2002 03:24, 1LT John W. Holmes wrote: Does anyone see any flaws in this? As long as you realize that any method like this is just going to be retrieving a string, basically. You don't get any PHP code back, you just get the results of the PHP code. So in your example, you get a one dimensional array with $result[0] = 2. A string is all you need. That's the whole point, you don't want to return any code. One can serialize a whole array and return that as well. I don't see any benifit of doing it this way. The benefit is that code which is crucial to the operation of the app is hidden away from prying eyes. What do you expect to recieve back that they can't duplicate on their end? Results from a db query? Or html code to print a table of results? I'm sure you could think of more :) Whatever you recieve back is probably going into an IF statement, so they just remove the condition and say if(1), or put their own condition in... Obviously if you were going to such lengths to protect your code you would structure it so that it wouldn't be as easy as that to circumvent. Note I'm not advocating the use of such techniques. I'm just musing on the technical feasibilities of such a scheme. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Daemon escaped from pentagram */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
I don't think the success of a commercial product depends on whether it's source is public or not. But it may depend if the product can be easily stolen or multiplied. Sure, you can simply trust people that they act honestly and lefally but that isn't always the case. Let's assume you made a great product for ISP's (that again will be used by their customers). You sell a ISP ten licenses for the use product. But who tells you that company does not install and use it some hundred times? You have no control over it and you don't even know it in most cases. In this case no contract helps you if 90% of the installations of your product exist without you knowing it. That's why I'm thinking of a copy protection. Maybe some sort of registration key that allows the use of the product only on a specific domain. The protection mechanism should of course be protected itself, meaning the code should be encoded or scrambled or whatever. Sure there is no 100% secure copy protection. I think the question is: how can I make it most difficult to break? The Zend Encoder is way too expensive and even requires the zend optimizer on the server. The PHP Obfuscator seems to be a really good alternative. Maybe not even all the code must be secured. One could also encrypt only a important include file or something that is necessary for the product to work. You then would have a good copy protection (maybe) and the main code is still open for individual modifications. I simply heard too much about stolen software. Maybe you can trust the company itself but can you trust every employee of the company? Once a illegal copy is distribuited it's over with the trust. Bang! Your product is installed on 1000 web sites (without you knowing that) and you have sold only 50 licenses... Of course all values are for explanation only ;) Udo Posted by ELKNews 1.0.4-B Empower your News Reader! http://www.atozedsoftware.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
Sure there is no 100% secure copy protection. I think the question is: how can I make it most difficult to break? The term I use is keeping honest people out Also, if you're on active duty military, don't write anything for them. From the few responses I've seen to a question I asked, the Army owns intellectual rights to everything I'm doing for them... sux... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
[EMAIL PROTECTED] (1lt John W. Holmes) wrote in 003301c1fa80$6cdfd1d0$2f7e3393@TB447CCO3:">news:003301c1fa80$6cdfd1d0$2f7e3393@TB447CCO3: The term I use is keeping honest people out Not necessarily. If the whole thing is designed the right way. A copy protection I like for example are dongles. Ok, they are not applicable to PHP and aren't 100% secure either [don't want to start a discussion about this now]. But this system makes no problems for the people that have the dongle. That was why first came up with this question. As a PHP beginner I wanted to know if there are elegant ways to make a acceptable copy protection. There seem to be only 3 possibilities: - zend encoder - a code obfuscator like POBS - encrypting the source code and then decrypting it in realtime I do not expect any more replies ;) Udo Posted by ELKNews 1.0.4-B Empower your News Reader! http://www.atozedsoftware.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
Everyone is arguing that these encoders can be cracked. Does anyone know of one, have you done it yourself? How long did it take? I mean I'm not going to leave my door unlocked cuz someone can pick it open. -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: May 13, 2002 3:29 PM To: Udo Giacomozzi Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection On 13 May 2002, Udo Giacomozzi wrote: If the whole thing is designed the right way. A copy protection I like for example are dongles. Ok, they are not applicable to PHP and aren't 100% secure either [don't want to start a discussion about this now]. But this system makes no problems for the people that have the dongle. That was why first came up with this question. As a PHP beginner I wanted to know if there are elegant ways to make a acceptable copy protection. There seem to be only 3 possibilities: - zend encoder - a code obfuscator like POBS - encrypting the source code and then decrypting it in realtime All of these have weaknesses. And therefore the whole exercise is moot. It only takes one person with some free time to break your protection scheme, and then the cat's out of the bag. Once it has been broken, it will spread and then it won't matter how complex your scheme was. I really doubt there is any software out there that isn't being traded by high-school kids, even if they have no idea what it's for. The only exceptions would be something so arcane and obscure that nobody ever had an interest in cracking it. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
I think the point of all this, and I'm sure I'll be corrected if I've misunderstood, you can spend your time encrypting, obfuscating, whatever, but either your program will get distributed as-is, reverse engineered, etc. If someone wants to do it, they'll do it. Using your example, sure, you're not going to leave your door unlocked because there are a million lock-pickers out there you know could get through your lock. But by locking your door, do you feel safe? Someone could come in a glass window as easily as they pick your lock. Determined thiefs can get around even the biggest doors with the biggest locks. Look at all the bank robberies that have taken place over the past century. I guess the bottom line, you can do what you want with your code, but that doesn't make it hack-proof (or anti-distributable!). Jason Soza - Original Message - From: SP [EMAIL PROTECTED] Date: Monday, May 13, 2002 1:48 pm Subject: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection Everyone is arguing that these encoders can be cracked. Does anyone know of one, have you done it yourself? How long did it take? I mean I'm not going to leave my door unlocked cuz someone can pick it open. -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: May 13, 2002 3:29 PM To: Udo Giacomozzi Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection On 13 May 2002, Udo Giacomozzi wrote: If the whole thing is designed the right way. A copy protection I like for example are dongles. Ok, they are not applicable to PHP and aren't 100% secure either [don't want to start a discussion about this now]. But this system makes no problems for the people that have the dongle. That was why first came up with this question. As a PHP beginner I wanted to know if there are elegant ways to make a acceptable copy protection. There seem to be only 3 possibilities: - zend encoder - a code obfuscator like POBS - encrypting the source code and then decrypting it in realtime All of these have weaknesses. And therefore the whole exercise is moot. It only takes one person with some free time to break your protection scheme, and then the cat's out of the bag. Once it has been broken, it will spread and then it won't matter how complex your scheme was. I really doubt there is any software out there that isn't being traded by high-school kids, even if they have no idea what it's for. The only exceptions would be something so arcane and obscure that nobody ever had an interest in cracking it. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
This thread was started to discuss how a contract programmer can protect himself from getting ripped of by an dishonest person or company not every little hacker in the world. SNIP It only takes one person with some free time to break your protection scheme, and then the cat's out of the bag. /SNIP If they had the talent or the free time they would have programmed it themselves because most of the time it takes longer to backwards engineer a program than it does to write it from scratch. Robert W. Collins II Webmaster New Orleans Regional Transit Authority Phone : (504) 248-3826 Email : [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
I've watched this thread now I'll comment because it applies to many other things. Yes even if you take some steps to protect your code it may still be distributed, but it WILL be distributed if you don't. Think about security, as a sysadmin I can't just not apply security updates, you apply every security update you can even though someone a determined cracker can still get into your box you eliminate most of the script kiddies. Just because you can circumvent something does not mean it is not worth doing, there is a trade off, security and usability to make something completely secure you make it completely unusable you need to find a middle ground with your systems and your code. As far as banks being robbed, yes they may be robbed but we still lose less money than if left the vault unlocked and just told people to help themselves. Jason -Original Message- From: Jason Soza [mailto:[EMAIL PROTECTED]] Sent: Monday, May 13, 2002 4:03 PM To: [EMAIL PROTECTED] Subject: Re: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection I think the point of all this, and I'm sure I'll be corrected if I've misunderstood, you can spend your time encrypting, obfuscating, whatever, but either your program will get distributed as-is, reverse engineered, etc. If someone wants to do it, they'll do it. Using your example, sure, you're not going to leave your door unlocked because there are a million lock-pickers out there you know could get through your lock. But by locking your door, do you feel safe? Someone could come in a glass window as easily as they pick your lock. Determined thiefs can get around even the biggest doors with the biggest locks. Look at all the bank robberies that have taken place over the past century. I guess the bottom line, you can do what you want with your code, but that doesn't make it hack-proof (or anti-distributable!). Jason Soza - Original Message - From: SP [EMAIL PROTECTED] Date: Monday, May 13, 2002 1:48 pm Subject: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection Everyone is arguing that these encoders can be cracked. Does anyone know of one, have you done it yourself? How long did it take? I mean I'm not going to leave my door unlocked cuz someone can pick it open. -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: May 13, 2002 3:29 PM To: Udo Giacomozzi Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection On 13 May 2002, Udo Giacomozzi wrote: If the whole thing is designed the right way. A copy protection I like for example are dongles. Ok, they are not applicable to PHP and aren't 100% secure either [don't want to start a discussion about this now]. But this system makes no problems for the people that have the dongle. That was why first came up with this question. As a PHP beginner I wanted to know if there are elegant ways to make a acceptable copy protection. There seem to be only 3 possibilities: - zend encoder - a code obfuscator like POBS - encrypting the source code and then decrypting it in realtime All of these have weaknesses. And therefore the whole exercise is moot. It only takes one person with some free time to break your protection scheme, and then the cat's out of the bag. Once it has been broken, it will spread and then it won't matter how complex your scheme was. I really doubt there is any software out there that isn't being traded by high-school kids, even if they have no idea what it's for. The only exceptions would be something so arcane and obscure that nobody ever had an interest in cracking it. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
As an example, someone provided this link on the PHP Obfuscator http://pobs.mywalhalla.net and I'm just quoting what it says it does: POBS replaces user-defined (NOT predefined) functions, constants and variables with a MD5 key of 8 characters ... The first letter of the new functionname is a F, of a variable a V and of a constant a C. The function with name MakeImageHtml is replaced by Fee2c1bdc The variable $ImgText is replaced by $V1d9d94a6 The constant USERDIR is replaced by C389a367e It also concatenate lines and remove comments and indents and so yeah you could spend your time hunting down the killswitch and the 10 other backdoors I put in the prog but what do you end up with? A working app that no coder would even want to maintain or touch. And the good thing is the longer the guy that stiffed you uses the app, the more screwed they will be. -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: May 13, 2002 10:13 PM To: [EMAIL PROTECTED] Subject: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection Well, I promise you that I can re-activate any solely PHP-based remote killswitch in a matter of minutes - maybe hours if the person was really good. It's just too easy when you have the source code for the interpreter. Likewise the only truly effective PHP encoder would be one that created confusion by scrambling all the variable names to be names of my former girlfriends. Anything else is just like working with bad code from a contractor or junior employee - run it through the prettyprinter, open up a Dr. Pepper, and be the PHP interpreter for a while. Coming up with robust code protection is a very very challenging task. You spend a long time working out a scheme, then someone figures it out, and you have to start over again - everything protected by your previous scheme is now out in the open. Much better to focus on the legal side of it. If you really don't think you're going to be able to police the use of your code, to a degree that piracy is going to cost you more than your time is worth, you should be looking for a new set of clients. miguel On Mon, 13 May 2002, SP wrote: Everyone is arguing that these encoders can be cracked. Does anyone know of one, have you done it yourself? How long did it take? I mean I'm not going to leave my door unlocked cuz someone can pick it open. -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: May 13, 2002 3:29 PM To: Udo Giacomozzi Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Genus who came up with Self Destruct Code Copy Pro tection On 13 May 2002, Udo Giacomozzi wrote: If the whole thing is designed the right way. A copy protection I like for example are dongles. Ok, they are not applicable to PHP and aren't 100% secure either [don't want to start a discussion about this now]. But this system makes no problems for the people that have the dongle. That was why first came up with this question. As a PHP beginner I wanted to know if there are elegant ways to make a acceptable copy protection. There seem to be only 3 possibilities: - zend encoder - a code obfuscator like POBS - encrypting the source code and then decrypting it in realtime All of these have weaknesses. And therefore the whole exercise is moot. It only takes one person with some free time to break your protection scheme, and then the cat's out of the bag. Once it has been broken, it will spread and then it won't matter how complex your scheme was. I really doubt there is any software out there that isn't being traded by high-school kids, even if they have no idea what it's for. The only exceptions would be something so arcane and obscure that nobody ever had an interest in cracking it. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
So I should buy a commerical product from zend to protect my code but since my code will be reversed engineered anyways then what's the point of buying from zend? -Original Message- From: David Freeman [mailto:[EMAIL PROTECTED]] Sent: May 9, 2002 10:16 PM To: [EMAIL PROTECTED] Subject: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection Obviously most coders are in the middle ground. They are not writing the killer app of all time but is of significant value. I don't know what people on here are charging but I can't add $2880 a year to my overhead for the zend encoder. Plus add $1875 per cpu for the zend accelerator for each project. My personal opinion is that your code is either worth protecting or it's not. If it's worth protecting then that protection comes at a price. Sorry, commercial reality time here. If you are going to operate on a commercial basis then you have commercial decisions to make. This is one of them. So you're bidding for a project and the guy asks, Let me get this straight, you're charging me more then everyone else and I won't be able to edit the code? I think you would simply pricing yourself out of the market. If that's what you're going to do then yes. Ask yourself what people like ISC (the people who do bind and sendmail do to make a living - after all they have seriously commercial quality products available for free) or people like RedHat (who give away their linux distro for nix if you want to download it, or pay a small fee to whatever company downloads it and sells CD-R burns of the iso's). People can, and do, make money giving away their code. When you figure out how they are doing it, and the philosophy behind it, then maybe that will ease these fears. I can pretty much guarantee that if you come up with a killer app in php that no matter how protected it is you will not be the only one with a version of killer app for long. Someone else will come along and write something similar - if that person does it open source then there's also a fair chance it will end up being better than your product due to shear weight of numbers contributing to it. In the end all this, and more, are your decisions. Of course, if you choose not to do this commercially then it's a whole different setup with different goals and so on. For the record, I pretty much release what I do to anyone who wants it. Not that my efforts are of a standard that they are worth all that much per se - they are often fairly specific to the project at hand and not overly portable (in their released format). I do have one intranet application under development for my own business that may well end up with a strong commercial basis but it will never be a single product but part of a much larger package my business is currently planning. Even then, the code associated with that project may end up open sourced in some way. Let's face it, there's even a move to replicate the zend encoder in open source. As has already been said, there also has to be a level of trust between you and your client(s) if you are going to do business with them. If your clients see you as overly paranoid about your work they may end up not wanting to deal with you anyway. If you're that paranoid about losing control of your work offer it on a complete solution basis - either you host it on a machine that they have no back end access to or you provide the hardware as well as the software and have it locked out in such a way that the code is not easily stolen. Although, even here you'll sooner or later be compromised I would think. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
So I should buy a commerical product from zend to protect my code but since my code will be reversed engineered anyways then what's the point of buying from zend? That's your choice. It's also my point. If you can't be 100% secure then perhaps you should be looking at what you're trying to do. Some observable facts: 1. Some companies remain, from what I can tell, highly successful and can give away their source code for free. 2. Some companies remain, from what I can tell, highly successful without giving away any of their source. 3. Some companies fail, even if they are giving away their source. 4. Some companies fail, even if they don't give away their source. The conclusion I draw from that is that protecting or giving away your source is not a single make or break decision for a company. Rather, there are a myriad of decisions involved, of which the status of any source code is but one. Protect it, don't protect it, by itself it doesn't mean squat. In association with other things it might. For example, if you aren't prepared to pursue, in the courts as necessary, your closed source proprietary code then sooner or later someone will figure that out and take it for their own use. Do you think Microsoft would be as successful if it wasn't as agresive about protecting it's intellectual property? Speaking only for myself, I believe the effort involved to be not worth it, so I have no current intention of trying to protect, encode, conceal, booby trap or whatever any of my code. What you do is your business. You'd probably do well to understand the implications first - what are you protecting? Why? How far will you go to protect it? Will you take legal action? Etc etc etc CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
I was talking in general. The BBS was simply an example to make things clearer. I am *not* developing a BB system! If you want you can think of a immaginary tool that makes a website load twice as fast, need the half web space and makes the website look nicer, of course at lower OK, if you're producing something with a significant commercial value then spring for the dollars to pay for zend encoder and use it. Seems like some people want it both ways - my code is different and unique and has commercial value in and of itself but I'm not prepared to spend real dollars to protect it, I want free code to do that. I suspect that many people in this situation have an overly high opinion of their code and, in reality, there are open source or free alternatives that do much the same (albeit elegant and easily customisable or whatever) and, as such, not worth spending the money on zend. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
Obviously most coders are in the middle ground. They are not writing the killer app of all time but is of significant value. I don't know what people on here are charging but I can't add $2880 a year to my overhead for the zend encoder. Plus add $1875 per cpu for the zend accelerator for each project. So you're bidding for a project and the guy asks, Let me get this straight, you're charging me more then everyone else and I won't be able to edit the code? I think you would simply pricing yourself out of the market. -Original Message- From: David Freeman [mailto:[EMAIL PROTECTED]] Sent: May 9, 2002 5:24 PM To: [EMAIL PROTECTED] Subject: RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection I was talking in general. The BBS was simply an example to make things clearer. I am *not* developing a BB system! If you want you can think of a immaginary tool that makes a website load twice as fast, need the half web space and makes the website look nicer, of course at lower OK, if you're producing something with a significant commercial value then spring for the dollars to pay for zend encoder and use it. Seems like some people want it both ways - my code is different and unique and has commercial value in and of itself but I'm not prepared to spend real dollars to protect it, I want free code to do that. I suspect that many people in this situation have an overly high opinion of their code and, in reality, there are open source or free alternatives that do much the same (albeit elegant and easily customisable or whatever) and, as such, not worth spending the money on zend. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Genus who came up with Self Destruct Code Copy Pro tection
Obviously most coders are in the middle ground. They are not writing the killer app of all time but is of significant value. I don't know what people on here are charging but I can't add $2880 a year to my overhead for the zend encoder. Plus add $1875 per cpu for the zend accelerator for each project. My personal opinion is that your code is either worth protecting or it's not. If it's worth protecting then that protection comes at a price. Sorry, commercial reality time here. If you are going to operate on a commercial basis then you have commercial decisions to make. This is one of them. So you're bidding for a project and the guy asks, Let me get this straight, you're charging me more then everyone else and I won't be able to edit the code? I think you would simply pricing yourself out of the market. If that's what you're going to do then yes. Ask yourself what people like ISC (the people who do bind and sendmail do to make a living - after all they have seriously commercial quality products available for free) or people like RedHat (who give away their linux distro for nix if you want to download it, or pay a small fee to whatever company downloads it and sells CD-R burns of the iso's). People can, and do, make money giving away their code. When you figure out how they are doing it, and the philosophy behind it, then maybe that will ease these fears. I can pretty much guarantee that if you come up with a killer app in php that no matter how protected it is you will not be the only one with a version of killer app for long. Someone else will come along and write something similar - if that person does it open source then there's also a fair chance it will end up being better than your product due to shear weight of numbers contributing to it. In the end all this, and more, are your decisions. Of course, if you choose not to do this commercially then it's a whole different setup with different goals and so on. For the record, I pretty much release what I do to anyone who wants it. Not that my efforts are of a standard that they are worth all that much per se - they are often fairly specific to the project at hand and not overly portable (in their released format). I do have one intranet application under development for my own business that may well end up with a strong commercial basis but it will never be a single product but part of a much larger package my business is currently planning. Even then, the code associated with that project may end up open sourced in some way. Let's face it, there's even a move to replicate the zend encoder in open source. As has already been said, there also has to be a level of trust between you and your client(s) if you are going to do business with them. If your clients see you as overly paranoid about your work they may end up not wanting to deal with you anyway. If you're that paranoid about losing control of your work offer it on a complete solution basis - either you host it on a machine that they have no back end access to or you provide the hardware as well as the software and have it locked out in such a way that the code is not easily stolen. Although, even here you'll sooner or later be compromised I would think. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php