Rails - Aug 2006 - How to protect your code? Obfuscater?

I just made a rails application that I plan to sell and dsitribute. I 
want to distribute it without having to worry about someone stealing the 
code and selling their own version. How do I do this? Is there a ruby 
obfuscator or anything that can keep someone from seeing the code?

Thanks for your help.

-- 
Posted via http://www.ruby-forum.com/.

I don''t think anybody but script kiddies bother with such stuff. And 
AFAIK obfuscation isn''t much of a hurdle. Now a lawyer and the law 
OTOH...
And is Rails code really that hard to figure out anyway?

Joe

-- 
Posted via http://www.ruby-forum.com/.

Only way I know how at the moment is to take vital parts of the
software and write in C and use it to extend ruby. It''s nasty but
works.

On 8/3/06, Ben Johnson <bjohnson@mediamanifest.com>
wrote:
> I just made a rails application that I plan to sell and dsitribute. I
> want to distribute it without having to worry about someone stealing the
> code and selling their own version. How do I do this? Is there a ruby
> obfuscator or anything that can keep someone from seeing the code?
>
> Thanks for your help.
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

-- 
--------------
Jon Gretar Borgthorsson
http://www.jongretar.net/

Joe wrote:
> I don''t think anybody but script kiddies bother with such stuff.
And
> AFAIK obfuscation isn''t much of a hurdle. Now a lawyer and the law
> OTOH...
> And is Rails code really that hard to figure out anyway?
> 
> Joe
I don''t really understand what you are saying here. I''m about
to sell a
piece of software to multiple companies and gross 6 figures a month. I 
do not want people to steal it. I can''t afford to be naive and assume 
people won''t steal the code.

Does anyone have any idea besides rewriting some of the code in c?

-- 
Posted via http://www.ruby-forum.com/.

On Fri, Aug 04, 2006 at 12:05:17AM +0200, Ben Johnson
wrote:
> I just made a rails application that I plan to sell and dsitribute. I 
> want to distribute it without having to worry about someone stealing the 
> code and selling their own version. How do I do this? Is there a ruby 
> obfuscator or anything that can keep someone from seeing the code?
It''s been discussed a bunch of times before; search the list archives.

- Matt

On Aug 3, 2006, at 6:05 PM, Ben Johnson wrote:
> I just made a rails application that I plan to sell and dsitribute. I
> want to distribute it without having to worry about someone  
> stealing the
> code and selling their own version. How do I do this? Is there a ruby
> obfuscator or anything that can keep someone from seeing the code?
>
> Thanks for your help.
You may want to investigate ZenObfuscate: http://blog.zenspider.com/ 
archives/2006/07/zenobfuscate_no.html
But last I heard it doesn''t work with rails.  But as Joe said,
you''re
best recourse is probably licensing and threat of legal action.
-Mat

Matthew Palmer wrote:
> On Fri, Aug 04, 2006 at 12:05:17AM +0200, Ben Johnson wrote:
>> I just made a rails application that I plan to sell and dsitribute. I 
>> want to distribute it without having to worry about someone stealing
the
>> code and selling their own version. How do I do this? Is there a ruby 
>> obfuscator or anything that can keep someone from seeing the code?
> 
> It''s been discussed a bunch of times before; search the list
archives.
> 
> - Matt
Where? The search is disabled on the forums.

-- 
Posted via http://www.ruby-forum.com/.

On 8/3/06, Ben Johnson <bjohnson@mediamanifest.com>
wrote:
> Does anyone have any idea besides rewriting some of the code in c?
Change the business model so you sell it as hosted service.



-- 
Austin Govella
Thinking & Making: IA, UX, and IxD
http://thinkingandmaking.com
austin.govella@gmail.com

On Fri, Aug 04, 2006 at 04:18:22AM +0200, Ben Johnson
wrote:
> Joe wrote:
> > I don''t think anybody but script kiddies bother with such
stuff. And
> > AFAIK obfuscation isn''t much of a hurdle. Now a lawyer and
the law
> > OTOH...
> > And is Rails code really that hard to figure out anyway?
> > 
> > Joe
> 
> I don''t really understand what you are saying here. I''m
about to sell a
> piece of software to multiple companies and gross 6 figures a month. I 
> do not want people to steal it. I can''t afford to be naive and
assume
> people won''t steal the code.
Charging rent on your secret bits is a terrible business model.  No matter
how you protect the code, someone can just reimplement the functionality and
you''re toast.
> Does anyone have any idea besides rewriting some of the code in c?
A strong licence, and something to catch out the terminally stupid, like
some code that e-mails you every time it gets installed on a machine that
doesn''t have some file somewhere.  That way you can at least see if
someone
lets it out into the wild.  If you know where it''s gone, you can round
it up
and sue the person to solve the problem.

Don''t try going all interesting in the protection scheme -- anyone
clueful
enough to get through your basic protection is going to be equally good at
chomping through whatever else you might dream up.  Technical solutions to
social problems never work, and copyright infringement is a social problem.

Also, don''t stop the user from using the software.  If you do that,
you''ll
encourage people to "fix" the problem.  Just get the software to let
you
know and then bring down the legal LARTs of doom.

- Matt

-- 
"You keep using that word.  I do not think it means what you think it
means."
	-- Inigo, The Princess Bride

On Fri, Aug 04, 2006, Ben Johnson wrote:
> Where? The search is disabled on the forums.
It''s a mailing list; ruby-forum is just a gateway to it.  Try Gmane
(http://news.gmane.org/gmane.comp.lang.ruby.rails) or any of a number of
other online archives of the list.

Ben

Interpreted languages are a poor choice to use for software you plan to
sell.

The fact is that I can decompile Java or .Net code just as easily with
Reflector or JavaDecompiler.

http://members.fortunecity.com/neshkov/dj.html  (Java)

and

http://www.aisto.com/roeder/dotnet/   (.Net)

I''d be more worried about people stealing your idea and implementing
that.... there''s more of that going on than anything else.

In my opinion, you need to either host it yourself, or have a nice license
contract that you and your client sign... not just something they accept....
and YOU go and install it yourself at their location.




On 8/3/06, Ben Johnson <bjohnson@mediamanifest.com>
wrote:
>
> Joe wrote:
> > I don''t think anybody but script kiddies bother with such
stuff. And
> > AFAIK obfuscation isn''t much of a hurdle. Now a lawyer and
the law
> > OTOH...
> > And is Rails code really that hard to figure out anyway?
> >
> > Joe
>
> I don''t really understand what you are saying here. I''m
about to sell a
> piece of software to multiple companies and gross 6 figures a month. I
> do not want people to steal it. I can''t afford to be naive and
assume
> people won''t steal the code.
>
> Does anyone have any idea besides rewriting some of the code in c?
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060804/ed56fce2/attachment.html

I have never tried it, and it looks like (from the title) its for 
windows, but this type of thing seems more promising to me than an 
obfuscator.

http://www.erikveen.dds.nl/rubyscript2exe/index.html

On a side note, a VC funded company recently released there downloadable 
ruby/rails based software.  Most of the code is just sitting there for 
you to see, they protect it with a pretty aggresive license.  They did a 
speedbump style protection for their controller code by base64 encoding 
the files and then zipping them.  Like I said, a speedbump.

-- 
Posted via http://www.ruby-forum.com/.

Ben Johnson wrote:
> Joe wrote:
>> I don''t think anybody but script kiddies bother with such
stuff. And
>> AFAIK obfuscation isn''t much of a hurdle. Now a lawyer and the
law
>> OTOH...
>> And is Rails code really that hard to figure out anyway?
>> 
>> Joe
> 
> I don''t really understand what you are saying here. I''m
about to sell a
> piece of software to multiple companies and gross 6 figures a month. I 
> do not want people to steal it. I can''t afford to be naive and
assume
> people won''t steal the code.
> 
> Does anyone have any idea besides rewriting some of the code in c?
Six figures a month?!? Wow, what''s the software?!?

People will figure out how to steal your software/code, but nobody but a 
fool would try to sell it as their own or use stolen software in their 
business. For those that do, it''s important to establish your precedent
- shareware developers used to mail themselves a disk containing their 
software. And unless your software has amazing new algorithms that do 
something revolutionary, no software is impossible to figure out and 
reimplement from scratch.

Joe

-- 
Posted via http://www.ruby-forum.com/.

Thanks a lot for everyone''s help. I just wanted something more than a 
license to stand between my code and a programmer that wants to steal 
it, but I guess you are all right, there''s not much I can do except 
decide to host it myself. Although our company does have a very good 
lawyer so it wouldn''t be too hard enforcing the license.

-- 
Posted via http://www.ruby-forum.com/.

I would be interested in some type of obfuscator also, although for a
different reason.  If you are trying to keep people from stealing your
code, obfuscating is not the answer.

I have a situation where I''m implementing a proprietary protocol.
It''s not exactly difficult to get ahold of, but contractual terms keep
me from distributing unobfuscated source.  I personally don''t care if
someone gets access to the source, because it would be easier to get
the protocol specs from the owner ($100 + sign the same contract I
did).  Being able to obfuscate the source would let me write the code
in ruby instead of say Python, Java, or C.

Ben Johnson wrote:
> Thanks a lot for everyone''s help. I just wanted something more
than a
> license to stand between my code and a programmer that wants to steal 
> it, but I guess you are all right, there''s not much I can do
except
> decide to host it myself. Although our company does have a very good 
> lawyer so it wouldn''t be too hard enforcing the license.
So what''s your software dude?

Joe

-- 
Posted via http://www.ruby-forum.com/.

Joe wrote:
> Ben Johnson wrote:
>> Thanks a lot for everyone''s help. I just wanted something more
than a
>> license to stand between my code and a programmer that wants to steal 
>> it, but I guess you are all right, there''s not much I can do
except
>> decide to host it myself. Although our company does have a very good 
>> lawyer so it wouldn''t be too hard enforcing the license.
> 
> So what''s your software dude?
> 
> Joe
Ha ha. I''m sorry but that is not something I can share, but I must say 
that I''d still be programming if I hadn''t of programmed it in
rails.
Rails kicks some major ass and this program really proves that rails can 
handle just about anything, basically any type of program that plans on 
having a web based interface.

-- 
Posted via http://www.ruby-forum.com/.

On Thu, Aug 03, 2006 at 09:43:23PM -0700, snacktime
wrote:
> I have a situation where I''m implementing a proprietary protocol.
> It''s not exactly difficult to get ahold of, but contractual terms
keep
> me from distributing unobfuscated source.  I personally don''t care
if
> someone gets access to the source, because it would be easier to get
> the protocol specs from the owner ($100 + sign the same contract I
> did).  Being able to obfuscate the source would let me write the code
> in ruby instead of say Python, Java, or C.
Obviously the definition of "obfuscate" for this contract is pretty
poor,
because at least Python and Java are pretty trivial to reverse engineer.

- Matt

On 8/3/06, Matthew Palmer <mpalmer@hezmatt.org>
wrote:
> On Thu, Aug 03, 2006 at 09:43:23PM -0700, snacktime wrote:
> > I have a situation where I''m implementing a proprietary
protocol.
> > It''s not exactly difficult to get ahold of, but contractual
terms keep
> > me from distributing unobfuscated source.  I personally don''t
care if
> > someone gets access to the source, because it would be easier to get
> > the protocol specs from the owner ($100 + sign the same contract I
> > did).  Being able to obfuscate the source would let me write the code
> > in ruby instead of say Python, Java, or C.
>
> Obviously the definition of "obfuscate" for this contract is
pretty poor,
> because at least Python and Java are pretty trivial to reverse engineer.
It''s the protocol for Vital, one of the larger card processing
networks.  All of them are like this.  It''s more about control then
anything, and it''s not the people who could decipher the source that
they are worried about anyways.  It''s the hundreds of
merchants/developers that could easily change the source and introduce
bugs if the source was easy to get at.
But the no source clause is just an extra thing that pales in
comparison to the NDA:)

Ben Johnson wrote:
> I don''t really understand what you are saying here. I''m
about to sell a
> piece of software to multiple companies and gross 6 figures a month. I 
> do not want people to steal it. I can''t afford to be naive and
assume
> people won''t steal the code.
Uh, didn''t you look into this before you even started?

-- 
Posted via http://www.ruby-forum.com/.

Ben Johnson wrote:
> decide to host it myself. Although our company does have a very good 
> lawyer so it wouldn''t be too hard enforcing the license.
...until someone in China stumbles upon it and your lawyer means nothing 
at that point.  Its hard and costly to enforce your license 
internationally and probably almost impossible to do so in China.

Anything can be decompiled.  I remember back in the day decompiling 
Windows to Assembly language just for the fun of it.


-- 
Posted via http://www.ruby-forum.com/.

On 8/4/06, Matthew Palmer <mpalmer@hezmatt.org>
wrote:
> Obviously the definition of "obfuscate" for this contract is
pretty poor,
> because at least Python and Java are pretty trivial to reverse engineer.
Yes, but with Java you have Excelsior (http://www.excelsior-usa.com),
which is an awesome product and does what ZenObfuscator (I believe)
hopes to do...compiles to native and protects your IP.

Having used Excelsior quite a bit for Java projects, I cannot say
enough good things about it.

JB

Joe wrote:
> 
> So what''s your software dude?
Sorry but my "BS" detector went off when he said "and gross 6
figures a
month". You don''t build an entire app in a new framework that is
going
to gross you six figures a month and then ask near the end of 
development how your going to protect it now.

-- 
Posted via http://www.ruby-forum.com/.

Ben Johnson wrote:
> I don''t really understand what you are saying here. I''m
about to sell a
> piece of software to multiple companies and gross 6 figures a month. I 
> do not want people to steal it. I can''t afford to be naive and
assume
> people won''t steal the code.
Its not the decompiler or backwards engineers you need to worry about. 
Its the copy-cats.  If your idea is that truely revolutionary then it 
will be copied in no time - especially if you''ve proved it can be done 
in Rails, then any good Railer can duplicate your functionality easily. 
All you can hope for is to get enough marketshare first.  Look how many 
times Digg has been cloned.  Look how people tried to mimic eBay (Amazon 
auctions, Yahoo auctions, etc.).

-- 
Posted via http://www.ruby-forum.com/.

That was my bs detector too.  Oh, and btw, if you''re expecting to
gross 10^6 and your name is not Bill Gates, then I fear for your
disappointment.
As far as protecting your investment, A) self-hosting is a good
alternative to explore. B) If you''re idea is worth so much, then why
not sell your services for that much?  I percieve that it is a very
dinosaur company (big oil?) that would spend $1M/year on software even
thought the people who wrote it can only get $200/hr for their
expertise and services (and AFAIK, not too many railsers are garnering
$200/hr?!?!)

My 2x10^-2
-- 
------------------------------
Apple MacBook.  Black.  It''s the new White!
------------------------------
Peter Fitzgibbons


On 8/4/06, Steve Inoo <inoo@no-spam.please> wrote:
> Joe wrote:
> >
> > So what''s your software dude?
>
> Sorry but my "BS" detector went off when he said "and gross
6 figures a
> month". You don''t build an entire app in a new framework that
is going
> to gross you six figures a month and then ask near the end of
> development how your going to protect it now.
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

Steve Inoo wrote:
> Joe wrote:
>> 
>> So what''s your software dude?
> 
> Sorry but my "BS" detector went off when he said "and gross
6 figures a
> month". You don''t build an entire app in a new framework that
is going
> to gross you six figures a month and then ask near the end of 
> development how your going to protect it now.
Sorry but I don''t think anyone asked you if you think any of this is BS
and frankly that has nothing to do with the topic of the thread. Why is 
it such a big deal to ask for an obfuscater or some way to protect code 
that I''m going to be distributing? This is my first rails project and I
have all kinds of questions.

So my "programmer and no business experience" detector went off and
told
me that if you are compairing Microsoft to my company that makes close 
to 7 figures a month, then you are highly uneducated with how much a 
decent company grosses each month.  Lastly, I never said we were selling 
this to a single company, and from the nature of the thread, you should 
be able to determine that we are selling this multiple times. Ha ha.

Anways, thanks for the help it really cleared up the picture with ruby 
and protecting the ruby code.

-- 
Posted via http://www.ruby-forum.com/.

Ben Johnson wrote:
> 
> So my "programmer and no business experience" detector went off
and told
> me that if you are compairing Microsoft to my company that makes close 
> to 7 figures a month, then you are highly uneducated with how much a 
> decent company grosses each month.  Lastly, I never said we were selling 
> this to a single company, and from the nature of the thread, you should 
> be able to determine that we are selling this multiple times. Ha ha.
> 
> Anways, thanks for the help it really cleared up the picture with ruby 
> and protecting the ruby code.
Let''s assume you do know what you''re doing. I don''t
know who your target
market it, but you do. Protect yourself with adequate copyright language 
that you get from a good IP attorney. And then market the hell out of 
it.

Believe me, if people are stealing your stuff, that''s a good thing, 
because nobody steals anything that''s not interesting. If your
customers
are large companies, I guarantee they won''t steal from you. They never 
buy anything they won''t commit to long-term, and you''re more
valuable to
them healthy. Besides, they fear lawsuits mightily. They''ll pay late, 
but they will pay.

If your customers are small companies, your marketing costs will far 
outweigh your development costs anyway, and the same will apply to 
anyone who steals from you, but you will have a head start.

If your customers are individuals, then this is almost certainly a 
science project and not a business anyway, so the more you get stolen 
from the better off you are.

Bottom line: get your code out there and stop worrying about theft.

-- 
Posted via http://www.ruby-forum.com/.

Peter Fitzgibbons wrote:
> That was my bs detector too.  Oh, and btw, if you''re expecting to
> gross 10^6 and your name is not Bill Gates, then I fear for your
> disappointment.
> As far as protecting your investment, A) self-hosting is a good
> alternative to explore. B) If you''re idea is worth so much, then
why
> not sell your services for that much?
Yeah, I used to sell software for distribution. Dealing with support on 
the myriad of systems, OS''s, configurations, other installed software, 
etc. was a true nightmare. Selling a service where you own and control 
the machines is much easier - like Basecamp and Salesforce.

Joe

-- 
Posted via http://www.ruby-forum.com/.

On 8/3/06, Ben Johnson <bjohnson@mediamanifest.com>
wrote:
> I just made a rails application that I plan to sell and dsitribute. I
> want to distribute it without having to worry about someone stealing the
> code and selling their own version. How do I do this? Is there a ruby
> obfuscator or anything that can keep someone from seeing the code?
>
> Thanks for your help.
If your customers are big enough, consider selling the box that it runs on.

Sincerely,

Tom Lieber
http://AllTom.com/
http://GadgetLife.org/

On Fri, Aug 04, 2006 at 10:08:15AM -0400, J B wrote:
> On 8/4/06, Matthew Palmer <mpalmer@hezmatt.org> wrote:
> >Obviously the definition of "obfuscate" for this contract is
pretty poor,
> >because at least Python and Java are pretty trivial to reverse
engineer.
> 
> Yes, but with Java you have Excelsior (http://www.excelsior-usa.com),
> which is an awesome product and does what ZenObfuscator (I believe)
> hopes to do...compiles to native and protects your IP.
Suggested endings for your sentence:

1) ... which destroys the core benefit of Java (and to some extent Ruby) --
platform independence.

2) ... except that even native code isn''t that hard to rip apart if
needed.

3) ... except all the interesting bits, such as what you''re actually
doing,
which can be worked out without seeing any code whatsoever.

4) ... but of course, "protecting your IP" is a complete smokescreen
--
customers want a business that satisfies their needs, not one that spends
all it''s resources locking everything away.

- Matt

-- 
You have a 16-bit quantity, but 5 bits of it are here and 2 bits of it are
there... and 2 bits of it are back here and 3 bits of it are up there.  The
C code to extract useful data had so many >> and << operators in it
that it
looked like the C++ version of "hello world".	-- Matt Roberds, ASR

J B wrote:
> On 8/4/06, Matthew Palmer <mpalmer@hezmatt.org> wrote:
>> Obviously the definition of "obfuscate" for this contract is
pretty
>> poor,
>> because at least Python and Java are pretty trivial to reverse
engineer.
>
> Yes, but with Java you have Excelsior (http://www.excelsior-usa.com),
> which is an awesome product and does what ZenObfuscator (I believe)
> hopes to do...compiles to native and protects your IP.
>
> Having used Excelsior quite a bit for Java projects, I cannot say
> enough good things about it.
If there are only a few parts that need protecting, then you might try 
writing a ruby module in C code and then linking from Ruby.

Sincerely,
Jason