I just got a contract to design an application for a fishing factory to manage whatever it is that they do. They unfortuanately do not have internet access at the factory - although they do have a network connecting all the relavant users. I initially thought not to do this in rails due to security reasons, but frankly I don''t want to develop with anything less productive at this stage anymore. Is there a way to secure my code if it is running on their server? or atleast stop them from copying the application? It now seams to me that this could be something that I could quite often need in my area (as a lot of businesses and potensial clients here do not have persistent internet access). any ideas? :Francois
On 23 Aug 2005, at 13:09, Michael Champanis wrote:> Well, depending on the contract, the source code could actually > legally > belong to them if you''re providing a customised solution. You''d only > have to worry about piracy if you were selling a generic multi- > customer > application.Drifting off-topic, but note that in the UK the author of the software retains copyright on any code produced for a client, unless transfer of ownership is specifically written in to the contract. This was just reinforced by a recent decision by the High Court, where an organisation found they didn''t own a system they''d paid £1m for: http://www.theregister.co.uk/2005/07/26/ software_user_loses_ownership_claim/ And wasn''t there another case in the UK (sp?) recently where it was found that a coder would be expected to reuse bits of code that they had written for other clients regardless of what the contract said? So, make sure you get everything in writing, and be prepared to smack them over the head if they break the terms of the contract. Alternatively, you could configure a server install it on their premises with you application, and not give them any passwords, etc. Write the cost of all of that in to an ongoing support contract, and see what they think of that. ...j _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Jamie Wilson wrote:> So, make sure you get everything in writing, and be prepared to smack > them over the head if they break the terms of the contract. > Alternatively, you could configure a server install it on their > premises with you application, and not give them any passwords, etc. > Write the cost of all of that in to an ongoing support contract, and > see what they think of that.This is an interesting idea.. will have a look at feasibility. :Francois
> Is there a way to secure my code if it is running on their server? or > atleast stop them from copying the application? > > It now seams to me that this could be something that I could quite often > need in my area (as a lot of businesses and potensial clients here do > not have persistent internet access).Well, depending on the contract, the source code could actually legally belong to them if you''re providing a customised solution. You''d only have to worry about piracy if you were selling a generic multi-customer application. Michael
There''s an easier solution that doesn''t rely on people obeying the laws they''re supposed to but might not. Include a box with the install on it. Don''t give them permission to access the box in any way other than web. you keep the password in case you need to go in and tweak something. -- -Kate (masukomi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org) _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
damn.. sorry about that completely redundant response. -- -Kate (masukomi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org)
Never tried this personally, but you may be able to "secure" your code by running it under Tar2RubyScript, then putting some simple code in it to check e.g. that the IP address or LAN card''s MAC address are some specific value before allowing your code to run. That would prevent the code being run on other systems. No, it won''t prevent your code being copied. No, it''s not especially secure, as someone with a bit of knowledge could open up the tar file and remove or change your security check. That requires someone with some sort of coding background; remember anyone with a sufficiently strong coding background can break or bypass security checks in any language, provided they don''t have e.g. hardware encryption to contend with. However, it''s may be sufficient in an environment like a fishing factory with no Internet access. Combine it with a copyright message, both in the source and in the presented Web pages, and you''re probably as "secure" as you''re going to get. As I said, I''ve never tried this before, so some experimentation may be in order. It may not actually work with RoR apps. As an alternative to the "closed box, no login access" solution others have suggested, you could instead consider putting the box offsite and putting a WAN link in place to the factory. Presumably this could make it easier for you to support as well, as you could then ssh in remotely for support and maintenance; this could let you reduce your ongoing costs and make it more palatable. Regards Dave M. On 8/24/05, kate rhodes <masukomi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> damn.. sorry about that completely redundant response. > > -- > -Kate > (masukomi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org) > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
Thanks, I''ll definately do some investigating into the Tar2RubyScript idea. seams promising. the WAN wouldn''t work as I''m located more than 100km from the factory - which is located on some godforsaken strench of the coast. David Mitchell wrote:>Never tried this personally, but you may be able to "secure" your code >by running it under Tar2RubyScript, then putting some simple code in >it to check e.g. that the IP address or LAN card''s MAC address are >some specific value before allowing your code to run. That would >prevent the code being run on other systems. > >No, it won''t prevent your code being copied. > >No, it''s not especially secure, as someone with a bit of knowledge >could open up the tar file and remove or change your security check. >That requires someone with some sort of coding background; remember >anyone with a sufficiently strong coding background can break or >bypass security checks in any language, provided they don''t have e.g. >hardware encryption to contend with. > >However, it''s may be sufficient in an environment like a fishing >factory with no Internet access. Combine it with a copyright message, >both in the source and in the presented Web pages, and you''re probably >as "secure" as you''re going to get. > >As I said, I''ve never tried this before, so some experimentation may >be in order. It may not actually work with RoR apps. > >As an alternative to the "closed box, no login access" solution others >have suggested, you could instead consider putting the box offsite and >putting a WAN link in place to the factory. Presumably this could >make it easier for you to support as well, as you could then ssh in >remotely for support and maintenance; this could let you reduce your >ongoing costs and make it more palatable. > >Regards > >Dave M. > >On 8/24/05, kate rhodes <masukomi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > >>damn.. sorry about that completely redundant response. >> >>-- >>-Kate >>(masukomi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org) >>_______________________________________________ >>Rails mailing list >>Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org >>http://lists.rubyonrails.org/mailman/listinfo/rails >> >> >> >_______________________________________________ >Rails mailing list >Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org >http://lists.rubyonrails.org/mailman/listinfo/rails > > >
frankly i wouldnt be worried about them taking your code. if the contract says its theres then well... its theres. if not, when they do decide to take it/not pay support then you slap them with a law suit. On 8/24/05, Francois Paul <francois-VKbYeNyhmt9BDgjK7y7TUQ@public.gmane.org> wrote:> Thanks, > > I''ll definately do some investigating into the Tar2RubyScript idea. > seams promising. > > the WAN wouldn''t work as I''m located more than 100km from the factory - > which is located on some godforsaken strench of the coast. > > > > David Mitchell wrote: > > >Never tried this personally, but you may be able to "secure" your code > >by running it under Tar2RubyScript, then putting some simple code in > >it to check e.g. that the IP address or LAN card''s MAC address are > >some specific value before allowing your code to run. That would > >prevent the code being run on other systems. > > > >No, it won''t prevent your code being copied. > > > >No, it''s not especially secure, as someone with a bit of knowledge > >could open up the tar file and remove or change your security check. > >That requires someone with some sort of coding background; remember > >anyone with a sufficiently strong coding background can break or > >bypass security checks in any language, provided they don''t have e.g. > >hardware encryption to contend with. > > > >However, it''s may be sufficient in an environment like a fishing > >factory with no Internet access. Combine it with a copyright message, > >both in the source and in the presented Web pages, and you''re probably > >as "secure" as you''re going to get. > > > >As I said, I''ve never tried this before, so some experimentation may > >be in order. It may not actually work with RoR apps. > > > >As an alternative to the "closed box, no login access" solution others > >have suggested, you could instead consider putting the box offsite and > >putting a WAN link in place to the factory. Presumably this could > >make it easier for you to support as well, as you could then ssh in > >remotely for support and maintenance; this could let you reduce your > >ongoing costs and make it more palatable. > > > >Regards > > > >Dave M. > > > >On 8/24/05, kate rhodes <masukomi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > >>damn.. sorry about that completely redundant response. > >> > >>-- > >>-Kate > >>(masukomi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org) > >>_______________________________________________ > >>Rails mailing list > >>Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > >>http://lists.rubyonrails.org/mailman/listinfo/rails > >> > >> > >> > >_______________________________________________ > >Rails mailing list > >Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > >http://lists.rubyonrails.org/mailman/listinfo/rails > > > > > > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Zachery Hostens <zacheryph-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> frankly i wouldnt be worried about them taking your code. if the > contract says its theres then well... its theres. if not, when they > do decide to take it/not pay support then you slap them with a law > suit.thats a sticky bit too -- how do you find out?
On Aug 26, 2005, at 2:41, Caleb Buxton wrote:>> frankly i wouldnt be worried about them taking your code. if the >> contract says its theres then well... its theres. if not, when they >> do decide to take it/not pay support then you slap them with a law >> suit. >> > > thats a sticky bit too -- how do you find out?Who cares. At that point you are not going to get more money anyway. Stop worrying about it. Sell it as an advantage of your solution that they get access to the source code. If the product is something you sell to other people too make it clear in the contract that they are not allowed to make changes and sell it to someone else; but that they can make changes for their own use (maybe only if you are not available to make the changes?) - ask -- http://www.askbjoernhansen.com/
do what most companies do. sell the product, then charge extra for customizations, and support. if they change it manually ensure they know you only support it to a certian extent. and if they dont pay for the support contract then no support but they can continue to use the version of the product they have. On 8/26/05, Ask Bjørn Hansen <ask-LxHg3dlN6iy+XT7JhA+gdA@public.gmane.org> wrote:> > On Aug 26, 2005, at 2:41, Caleb Buxton wrote: > > >> frankly i wouldnt be worried about them taking your code. if the > >> contract says its theres then well... its theres. if not, when they > >> do decide to take it/not pay support then you slap them with a law > >> suit. > >> > > > > thats a sticky bit too -- how do you find out? > > Who cares. At that point you are not going to get more money anyway. > > Stop worrying about it. Sell it as an advantage of your solution > that they get access to the source code. > > If the product is something you sell to other people too make it > clear in the contract that they are not allowed to make changes and > sell it to someone else; but that they can make changes for their own > use (maybe only if you are not available to make the changes?) > > > - ask > > -- > http://www.askbjoernhansen.com/ > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Zachery Hostens <zacheryph-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> And wasn''t there another case in the UK (sp?) recently where it was found > that a coder would be expected to reuse bits of code that they had written > for other clients regardless of what the contract said?Sounds like the same case: ''Deputy High Court Judge Christopher Floyd QC wrote, "it is to be expected that a software developer will both import pre-existing code into the code he is writing for the client, as well as export it for other projects."'' (from the article in the Register). Interesting stuff for freelance workers/contractors, for sure. Thanks, Colin