Rails - Jan 2006 - Code security

I''ve just created a rails application for a friend''s business.
I''m going to place the application onto one of his computers so he can
access it from within his network.

What can i do to make sure he cannot read/edit the code? I can''t see
what i can do. Its on a windows xp machine and he has full admin rights.
He''s not an expert PC user so the solution doesn''t have to be
fully
secure, it just needs to be hard for him to access.  It''s really
important that he doesn''t read the code

Anyone any ideas what i can do??? any help would be really appreciated!!

Thanks,
Chris

-- 
Posted via http://www.ruby-forum.com/.

If he has admin rights to the machine where the code is installed, I''m
pretty sure it''s not possible for you to prevent him from read/editing
the
code.  It think the only solution we be to put the code on a machine that he
doesn''t have administrator/root access to.

On 1/28/06, Chris <eggman123444@gmail.com> wrote:
>
> I''ve just created a rails application for a friend''s
business.
> I''m going to place the application onto one of his computers so he
can
> access it from within his network.
>
> What can i do to make sure he cannot read/edit the code? I can''t
see
> what i can do. Its on a windows xp machine and he has full admin rights.
> He''s not an expert PC user so the solution doesn''t have
to be fully
> secure, it just needs to be hard for him to access.  It''s really
> important that he doesn''t read the code
>
> Anyone any ideas what i can do??? any help would be really appreciated!!
>
> Thanks,
> Chris
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060128/569de420/attachment.html

I acree with Paul, but version control is your friend here. If you allow him
read-only access to your repository, and give him a working copy, you can
track and roll back his changes easily in the event of an
''accident''.

Lee

On 1/28/06, Paul Barry <mail@paulbarry.com> wrote:
>
> If he has admin rights to the machine where the code is installed,
I''m
> pretty sure it''s not possible for you to prevent him from
read/editing the
> code.  It think the only solution we be to put the code on a machine that
he
> doesn''t have administrator/root access to.
>
> On 1/28/06, Chris <eggman123444@gmail.com> wrote:
> >
> > I''ve just created a rails application for a friend''s
business.
> > I''m going to place the application onto one of his computers
so he can
> > access it from within his network.
> >
> > What can i do to make sure he cannot read/edit the code? I
can''t see
> > what i can do. Its on a windows xp machine and he has full admin
rights.
> > He''s not an expert PC user so the solution doesn''t
have to be fully
> > secure, it just needs to be hard for him to access.  It''s
really
> > important that he doesn''t read the code
> >
> > Anyone any ideas what i can do??? any help would be really
appreciated!!
> >
> > Thanks,
> > Chris
> >
> > --
> > Posted via http://www.ruby-forum.com/.
> > _______________________________________________
> >
> > <http://lists.rubyonrails.org/mailman/listinfo/rails>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060129/84f4d8d1/attachment.html

On 1/28/06, Chris <eggman123444@gmail.com> wrote:
> It''s really important that he doesn''t read the code
Why?

This seems like there''s something else going on.

+1 on James comment.  Why wouldn''t you want him to "read the
code" ?


On 1/29/06, James Ludlow <jamesludlow@gmail.com>
wrote:
>
> On 1/28/06, Chris <eggman123444@gmail.com> wrote:
> > It''s really important that he doesn''t read the code
>
> Why?
>
> This seems like there''s something else going on.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060129/e8157e19/attachment.html

On 1/29/06, Dylan Stamat <dylans@gmail.com> wrote:
> +1 on James comment.  Why wouldn''t you want him to "read the
code" ?
So that it doesn''t become theirs. I''m sure open source
software would
be much better if you could open any binary in an editor and see the
original code, due to the same ''borrowing'' that Chris probably
doesn''t
want to happen. That it''s hard to obfuscate programs written in
interpreted languages is why I haven''t bothered trying to sell any of
them, anyway.

Sincerely,

Tom Lieber
http://AllTom.com/
http://GadgetLife.org/

Here are instructions to package your rails app as an EXE!! it seems to 
work like a charm.

It solves my problem of anyone borrowing my code!

http://www.erikveen.dds.nl/distributingrubyapplications/rails.html#2.1.0



-- 
Posted via http://www.ruby-forum.com/.

On Jan 29, 2006, at 5:05 PM, Chris wrote:
> Here are instructions to package your rails app as an EXE!! it  
> seems to
> work like a charm.
>
> It solves my problem of anyone borrowing my code!
>
> http://www.erikveen.dds.nl/distributingrubyapplications/ 
> rails.html#2.1.0
That only makes it more difficult to access the ruby files, not  
impossible.  A debugger could pull them out of memory with a bit of  
work.

You really want a Ruby obfuscator like ZenObfuscator.

-- 
Eric Hodel - drbrain@segment7.net - http://segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com

On Jan 29, 2006, at 5:05 PM, Chris wrote:
> Here are instructions to package your rails app as an EXE!! it  
> seems to
> work like a charm.
>
> It solves my problem of anyone borrowing my code!
>
> http://www.erikveen.dds.nl/distributingrubyapplications/ 
> rails.html#2.1.0
>
>
>
Chris-

	Note that when you package and app that way it is only providing  
minimal security. When your user double clicks on the exe file the  
rubyscript2exe will just uncompress your code into a temp dir. So it  
will still be available in plain text on the system after it gets run  
once.


Cheers-
-Ezra Zygmuntowicz
WebMaster
Yakima Herald-Republic Newspaper
ezra@yakima-herald.com
509-577-7732

Agreed, but unless the person with your code has a fairly significant
reason to try to extract the source (e.g. you''re trying to gouge him
on price for maintenenace work later on, or he needs some work done
and you''ve just been run over by a bus), >90% of people would see
the
EXE file and not bother trying to extract the code.

If someone *really* wants to pull apart your code, it''s very difficult
to hide it without going to extraordinary lengths.  Even compiled
languages can be decompiled into something vaguely like the original
source - at least to the point that it could be changed and recompiled
by someone with sufficient determination.  For apps that could fall
into this category, I just deploy them on a Web server that I control
and give the users access to it.

rubyscript2exe is a really nice way to deploy apps to customers, by
the way - nothing like being able to give out a single EXE file that
*is* the app, rather than sending 3 BAT files, 13 EXEs, 123 DLLs, 4
XML files, ... and then finding your customer doesn''t have Winzip to
unpack it all!

Regards

Dave M.


On 30/01/06, Ezra Zygmuntowicz <ezra@yakimaherald.com>
wrote:
>
> On Jan 29, 2006, at 5:05 PM, Chris wrote:
>
> > Here are instructions to package your rails app as an EXE!! it
> > seems to
> > work like a charm.
> >
> > It solves my problem of anyone borrowing my code!
> >
> > http://www.erikveen.dds.nl/distributingrubyapplications/
> > rails.html#2.1.0
> >
> >
> >
>
> Chris-
>
>         Note that when you package and app that way it is only providing
> minimal security. When your user double clicks on the exe file the
> rubyscript2exe will just uncompress your code into a temp dir. So it
> will still be available in plain text on the system after it gets run
> once.
>
>
> Cheers-
> -Ezra Zygmuntowicz
> WebMaster
> Yakima Herald-Republic Newspaper
> ezra@yakima-herald.com
> 509-577-7732
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

What''s wrong with people borrowing your code?  You''re
''borrowing'' rails. :)


On 1/29/06 8:05 PM, "Chris" <evilgeenius@gmail.com> wrote:
> Here are instructions to package your rails app as an EXE!! it seems to
> work like a charm.
> 
> It solves my problem of anyone borrowing my code!
> 
> http://www.erikveen.dds.nl/distributingrubyapplications/rails.html#2.1.0
> 
>

Get a host that supports Rails and throw it up there. Problem solved. =P

- Rabbit

---

On 1/29/06, Vince Puzzella <vpuz@rogers.com>
wrote:
> What''s wrong with people borrowing your code?  You''re
''borrowing'' rails. :)
>
>
> On 1/29/06 8:05 PM, "Chris" <evilgeenius@gmail.com> wrote:
>
> > Here are instructions to package your rails app as an EXE!! it seems
to
> > work like a charm.
> >
> > It solves my problem of anyone borrowing my code!
> >
> >
http://www.erikveen.dds.nl/distributingrubyapplications/rails.html#2.1.0
> >
> >
>
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

I''m guessing that''s meant to be a rhetorical question, but if
not:
- my code is *mine*, and I''ll share it around as I see fit.  I may
choose to GPL it, or I may release it under some other open source
licence, or I may not; either way, it''s *my* choice who sees *my* code
- I may have wrapped some proprietary algorithm (that I myself own) in
my code, and I don''t want other people to see it.  For example, the
algorithm may have a pending patent application, in which case I won''t
want to have it seen unless/until the patent is granted
- I may charge money for people using my code (a la Microsoft), and
having them be able to see the source might compromise my income
- there may be unimplemented functions or other cruftiness in my code,
so while I''m happy for people to use it in its present state, there
may be a personal/professional integrity issue that I don''t want to
face if/when people start digging around inside it
- I might want to sell support/maintenance services surrounding my
code, and therefore giving people access to do this themselves would
jeopardise my income
- there may be other issues relating to the "hidden-ness" of my source
code that make obscuring it a good thing.  For example, having
observed some of it personally, I wouldn''t be at all happy if banks
started releasing the source code for their Internet banking
applications to all and sundry.  Sure, they might eventually wind up
with a more secure application after the public trawled through their
code, identified bugs and fixed them, but would there be any money
left in the safe by the time that happened?
- I might have stolen other peoples'' source code and cut/pasted it
into my app, and I don''t want those affected to find out about it. 
No, I can''t think of anyone who would ever do this, so scratch it as a
possibility...
- I might have reused some old source code in my new application.  If
the old source code was written under contract to some other customer,
who then purchases it in its entirety, I''m not allowed to reuse it
(subject to local laws and interpretations).  While every coder worth
his/her salt reuses their old code all the time, in some circumstances
it might pay to be discrete about it

Just because the good people who created Rails are happy to have its
source shared around, doesn''t mean that everyone else feels they
should act the same way, at all times.

Regards

Dave M.

On 30/01/06, Vince Puzzella <vpuz@rogers.com>
wrote:
> What''s wrong with people borrowing your code?  You''re
''borrowing'' rails. :)
>
>
> On 1/29/06 8:05 PM, "Chris" <evilgeenius@gmail.com> wrote:
>
> > Here are instructions to package your rails app as an EXE!! it seems
to
> > work like a charm.
> >
> > It solves my problem of anyone borrowing my code!
> >
> >
http://www.erikveen.dds.nl/distributingrubyapplications/rails.html#2.1.0
> >
> >
>
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

On Mon, Jan 30, 2006 at 02:57:52PM +1100, David Mitchell
wrote:
> I''m guessing that''s meant to be a rhetorical question,
but if not:
> - my code is *mine*, and I''ll share it around as I see fit.  I may
> choose to GPL it, or I may release it under some other open source
> licence, or I may not; either way, it''s *my* choice who sees *my*
code
Who said anything about releasing the code under a FOSS licence?
> - I may have wrapped some proprietary algorithm (that I myself own) in
> my code, and I don''t want other people to see it.  For example,
the
> algorithm may have a pending patent application, in which case I
won''t
> want to have it seen unless/until the patent is granted
Better treated as a contractual/trade secret issue than a code obfuscation
one.
> - I may charge money for people using my code (a la Microsoft), and
> having them be able to see the source might compromise my income
Better treated as a contractual issue than a code obfuscation one.
> - there may be unimplemented functions or other cruftiness in my code,
> so while I''m happy for people to use it in its present state,
there
> may be a personal/professional integrity issue that I don''t want
to
> face if/when people start digging around inside it
I think that allowing your customers to see what sort of a programmer you
are would be a brilliant reason to open up your code -- if not for your
benefit, then for theirs.
> - I might want to sell support/maintenance services surrounding my
> code, and therefore giving people access to do this themselves would
> jeopardise my income
Better treated as a contractual issue than a code obfuscation one.
> - there may be other issues relating to the "hidden-ness" of my
source
> code that make obscuring it a good thing.  For example, having
> observed some of it personally, I wouldn''t be at all happy if
banks
> started releasing the source code for their Internet banking
> applications to all and sundry.  Sure, they might eventually wind up
> with a more secure application after the public trawled through their
> code, identified bugs and fixed them, but would there be any money
> left in the safe by the time that happened?
I don''t know about you, but I''ve not yet had an opportunity to
run my bank''s
Internet banking application on my own servers.  You must have a
particularly interesting bank there.
> - I might have stolen other peoples'' source code and cut/pasted it
> into my app, and I don''t want those affected to find out about it.
Gee, that''s a quality reason.
> - I might have reused some old source code in my new application.  If
> the old source code was written under contract to some other customer,
> who then purchases it in its entirety, I''m not allowed to reuse it
> (subject to local laws and interpretations).  While every coder worth
> his/her salt reuses their old code all the time, in some circumstances
> it might pay to be discrete about it
This seems closely related to the previous reason.
> Just because the good people who created Rails are happy to have its
> source shared around, doesn''t mean that everyone else feels they
> should act the same way, at all times.
Considering that the best two reasons given appear to relate to covering up
illegal activities, I''m not sure that your arguments are looking pretty
thin.
I guess, though, that if you spend your time misappropriating other
people''s
code, you assume the same mindset in others.

AFAIK, there''s nothing that will effectively obfuscate Ruby code from a
determined person at this time.  All of the "ruby into .exe"
converters are
quite useful for simple deployment, but not for obfuscation purposes. 
Consider it a marketing benefit that your customers have the sourcecode
(call it "future-proofing" or whatever -- most people in business have
had a
problem with a software vendor disappearing underneath them).

- Matt

OK, I should''ve said up front that I don''t pinch other
peoples'' code,
nor do I have a problem with people seeing my sometimes-crappy code. 
However, other people do.

My points still stand, however: the choice of how to distribute code
should be left to the author; code obfuscation has its place, although
I agree it''s not a great standalone security solution; people *do*
misappropriate others'' code, or re-use code they''ve written
and then
sold, and don''t want to highlight it.  With all due respect, *any* of
these would be sufficient reason for someone to choose to not publish
source.  Witness the reluctance of some companies to release code
they''ve *borrowed* that was under the GPL, which they''re then
obliged
to make available along with their changes - there''s been a sizeable
number of these issues discussed in Slashdot over the past few years.

Even with one of the most powerful (not to mention busiest) legal
teams around, Microsoft doesn''t release all their source code and then
rely on binding contracts as a way of protecting their IP assets. 
Ditto Oracle, and any number of other commercial software companies. 
If *they* don''t release their code, that''s good enough reason
in
itself for a lot of people to follow suit.

Finally, as far as Internet banking apps go - no, I don''t run these
apps at home.  However, I have previously been employed as a
consultant to test Internet banking code for several banks, and in
*every* case the commercial imperative to "get it out there" has
eventually superceded testing that''s shown up flaws in the
application.  Shock, horror - even Internet banking apps get deployed
when there are still known defects.  To some extent, banks quite
definitely rely on the fact that others can''t see their source, but
also on other levels of security (e.g. firewalls, encryption, etc.). 
I''m fairly confident that, given full access to the source for one of
these apps, someone would eventually be able to drain money from other
peoples'' accounts without their knowledge, simply because the
processes used to develop/test/remediate the code don''t work
perfectly.  I''m also confident that the banks would gain very little,
if anything, as compensation in terms of improved security by
releasing their source.

Anyway, this is all getting way off the original topic, which related
to one guy wanting to protect his source from his customer, and which
has (presumably) already been answered earlier in this thread to his
satisfaction.  Sorry if I wasted everyone''s time on trying to list
reasons why someone might not want to release their source, which was
a bit of a tangent to the original query.

Regards

Dave M.

On 30/01/06, Matthew Palmer <mpalmer@hezmatt.org>
wrote:
> On Mon, Jan 30, 2006 at 02:57:52PM +1100, David Mitchell wrote:
> > I''m guessing that''s meant to be a rhetorical
question, but if not:
> > - my code is *mine*, and I''ll share it around as I see fit. 
I may
> > choose to GPL it, or I may release it under some other open source
> > licence, or I may not; either way, it''s *my* choice who sees
*my* code
>
> Who said anything about releasing the code under a FOSS licence?
>
> > - I may have wrapped some proprietary algorithm (that I myself own) in
> > my code, and I don''t want other people to see it.  For
example, the
> > algorithm may have a pending patent application, in which case I
won''t
> > want to have it seen unless/until the patent is granted
>
> Better treated as a contractual/trade secret issue than a code obfuscation
> one.
>
> > - I may charge money for people using my code (a la Microsoft), and
> > having them be able to see the source might compromise my income
>
> Better treated as a contractual issue than a code obfuscation one.
>
> > - there may be unimplemented functions or other cruftiness in my code,
> > so while I''m happy for people to use it in its present state,
there
> > may be a personal/professional integrity issue that I don''t
want to
> > face if/when people start digging around inside it
>
> I think that allowing your customers to see what sort of a programmer you
> are would be a brilliant reason to open up your code -- if not for your
> benefit, then for theirs.
>
> > - I might want to sell support/maintenance services surrounding my
> > code, and therefore giving people access to do this themselves would
> > jeopardise my income
>
> Better treated as a contractual issue than a code obfuscation one.
>
> > - there may be other issues relating to the "hidden-ness" of
my source
> > code that make obscuring it a good thing.  For example, having
> > observed some of it personally, I wouldn''t be at all happy if
banks
> > started releasing the source code for their Internet banking
> > applications to all and sundry.  Sure, they might eventually wind up
> > with a more secure application after the public trawled through their
> > code, identified bugs and fixed them, but would there be any money
> > left in the safe by the time that happened?
>
> I don''t know about you, but I''ve not yet had an
opportunity to run my bank''s
> Internet banking application on my own servers.  You must have a
> particularly interesting bank there.
>
> > - I might have stolen other peoples'' source code and
cut/pasted it
> > into my app, and I don''t want those affected to find out
about it.
>
> Gee, that''s a quality reason.
>
> > - I might have reused some old source code in my new application.  If
> > the old source code was written under contract to some other customer,
> > who then purchases it in its entirety, I''m not allowed to
reuse it
> > (subject to local laws and interpretations).  While every coder worth
> > his/her salt reuses their old code all the time, in some circumstances
> > it might pay to be discrete about it
>
> This seems closely related to the previous reason.
>
> > Just because the good people who created Rails are happy to have its
> > source shared around, doesn''t mean that everyone else feels
they
> > should act the same way, at all times.
>
> Considering that the best two reasons given appear to relate to covering up
> illegal activities, I''m not sure that your arguments are looking
pretty thin.
> I guess, though, that if you spend your time misappropriating other
people''s
> code, you assume the same mindset in others.
>
> AFAIK, there''s nothing that will effectively obfuscate Ruby code
from a
> determined person at this time.  All of the "ruby into .exe"
converters are
> quite useful for simple deployment, but not for obfuscation purposes.
> Consider it a marketing benefit that your customers have the sourcecode
> (call it "future-proofing" or whatever -- most people in business
have had a
> problem with a software vendor disappearing underneath them).
>
> - Matt
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

On 1/29/06, Matthew Palmer <mpalmer@hezmatt.org>
wrote:
> On Mon, Jan 30, 2006 at 02:57:52PM +1100, David Mitchell wrote:
> > - I may have wrapped some proprietary algorithm (that I myself own) in
> > my code, and I don''t want other people to see it.  For
example, the
> > algorithm may have a pending patent application, in which case I
won''t
> > want to have it seen unless/until the patent is granted
>
> Better treated as a contractual/trade secret issue than a code obfuscation
> one.
>
> > - I may charge money for people using my code (a la Microsoft), and
> > having them be able to see the source might compromise my income
>
> Better treated as a contractual issue than a code obfuscation one.
All I know about trade secret issues is the result of a 20 minute
convo in my very first CS class, so take this with a jar of salt :)
>From what I remember, trade secrets are only legally protected if
they''re practically protected first.  Meaning you have to exert the
effort to protect your trade secret, you can''t just be haphazard about
it and expect the law to take care of you.  I imagine that
distributing your code along with the software is easily interpretted
as not protecting it.  "Uh, if it''s so important that nobody
alter/copy it, why did you give it out?"  Now that there are code
obfuscators and compiled languages, there really is no excuse to pass
out clear text source code if you want to protect it.  It may not be
possible with Ruby yet, but I''m willing to bet a lot of
unsophisticated arbiters/judges would say, "Okay if you can''t do
it in
this language, why''d you write the code in it?"

I know that IP is of course protected under open source licenses. 
Perhaps it''s semantics, but I think it''s rather foolhardy to
distribute your source code and expect it to be considered a trade
secret.

Finally, I''m a huge fan of open source, but I completely understand
why many companies/developers choose not to go that route, and have
absolutely no problem with it.

Pat

LOL! Dude, SO much discussion for this. You''d solve your freaking
"problem" if you just got a HOST. You know, a "web site"
where you can
throw your app on and let the client use it without seeing the code.

Here look! I''ll even point you to a couple:

<a href="http://rimuhosting.com/">Rimu Hosting - quality VPS
starting
at $20/mo</a>
<a href="http://www.pipespring.com/">Pipe Spring - shared VPS
starting
at $11/mo</a>

Or if you''re strapped for cash...

<a href="http://www.asmallorange.com/">A Small Orange - $5/mo
shared
hosting!</a>

Make your app live and get on with your life.

- Rabbit

---

On 1/29/06, Pat Maddox <pergesu@gmail.com> wrote:
> On 1/29/06, Matthew Palmer <mpalmer@hezmatt.org> wrote:
> > On Mon, Jan 30, 2006 at 02:57:52PM +1100, David Mitchell wrote:
> > > - I may have wrapped some proprietary algorithm (that I myself
own) in
> > > my code, and I don''t want other people to see it.  For
example, the
> > > algorithm may have a pending patent application, in which case I
won''t
> > > want to have it seen unless/until the patent is granted
> >
> > Better treated as a contractual/trade secret issue than a code
obfuscation
> > one.
> >
> > > - I may charge money for people using my code (a la Microsoft),
and
> > > having them be able to see the source might compromise my income
> >
> > Better treated as a contractual issue than a code obfuscation one.
>
> All I know about trade secret issues is the result of a 20 minute
> convo in my very first CS class, so take this with a jar of salt :)
>
> >From what I remember, trade secrets are only legally protected if
> they''re practically protected first.  Meaning you have to exert
the
> effort to protect your trade secret, you can''t just be haphazard
about
> it and expect the law to take care of you.  I imagine that
> distributing your code along with the software is easily interpretted
> as not protecting it.  "Uh, if it''s so important that nobody
> alter/copy it, why did you give it out?"  Now that there are code
> obfuscators and compiled languages, there really is no excuse to pass
> out clear text source code if you want to protect it.  It may not be
> possible with Ruby yet, but I''m willing to bet a lot of
> unsophisticated arbiters/judges would say, "Okay if you can''t
do it in
> this language, why''d you write the code in it?"
>
> I know that IP is of course protected under open source licenses.
> Perhaps it''s semantics, but I think it''s rather foolhardy
to
> distribute your source code and expect it to be considered a trade
> secret.
>
> Finally, I''m a huge fan of open source, but I completely
understand
> why many companies/developers choose not to go that route, and have
> absolutely no problem with it.
>
> Pat
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

Rabbit wrote:
> LOL! Dude, SO much discussion for this. You''d solve your freaking
> "problem" if you just got a HOST. You know, a "web
site" where you can
> throw your app on and let the client use it without seeing the code.
> 
> Here look! I''ll even point you to a couple:
> 
> <a href="http://rimuhosting.com/">Rimu Hosting - quality
VPS starting
> at $20/mo</a>
> <a href="http://www.pipespring.com/">Pipe Spring - shared
VPS starting
> at $11/mo</a>
> 
> Or if you''re strapped for cash...
> 
> <a href="http://www.asmallorange.com/">A Small Orange -
$5/mo shared
> hosting!</a>
> 
> Make your app live and get on with your life.
Except that won''t work from a sealed intranet.  Under those 
circumstances, you *may* get somewhere giving them a black box to plug 
in under their desk, or you may not.

-- 
Alex

On Sun, Jan 29, 2006 at 10:59:10PM -0700, Pat Maddox
wrote:
> On 1/29/06, Matthew Palmer <mpalmer@hezmatt.org> wrote:
> > On Mon, Jan 30, 2006 at 02:57:52PM +1100, David Mitchell wrote:
> > > - I may have wrapped some proprietary algorithm (that I myself
own) in
> > > my code, and I don''t want other people to see it.  For
example, the
> > > algorithm may have a pending patent application, in which case I
won''t
> > > want to have it seen unless/until the patent is granted
> >
> > Better treated as a contractual/trade secret issue than a code
obfuscation
> > one.
> >
> > > - I may charge money for people using my code (a la Microsoft),
and
> > > having them be able to see the source might compromise my income
> >
> > Better treated as a contractual issue than a code obfuscation one.
> 
> All I know about trade secret issues is the result of a 20 minute
> convo in my very first CS class, so take this with a jar of salt :)
> 
> >From what I remember, trade secrets are only legally protected if
> they''re practically protected first.
Jar taken.  "Effectively protected" includes such things as
"customer signs
contract saying ''this software contains trade secrets and you are
required
to keep them that way''".  Otherwise, how would you protect your
trade
secrets in areas other than software design -- there''s no English
Obfuscators (despite the content of most web forums as being apparent
evidence to the contrary <grin>).  The rules regarding "effective
protection" are meant to stop people from putting up billboards and then
suing anyone who looks at them.
> out clear text source code if you want to protect it.  It may not be
> possible with Ruby yet, but I''m willing to bet a lot of
> unsophisticated arbiters/judges would say, "Okay if you can''t
do it in
> this language, why''d you write the code in it?"
You may be confusing trade secret law with the TPM provisions in DMCA-style
copyright laws.  Part of the problem with the whole lumping together of
several very different areas of law under the banner of "Intellectual
Property" is this confusion that people have when talking about them. Trade
Secrets are a whole world of their own, completely different from
Copyrights, which are totally different to Patents and Trademarks.  There
are little-to-no commonalities between them.
> I know that IP is of course protected under open source licenses. 
> Perhaps it''s semantics, but I think it''s rather foolhardy
to
> distribute your source code and expect it to be considered a trade
> secret.
You''re not putting your source on the Internet for all to download --
you''re
distributing it to your paying customers after the execution of a suitably
binding contract -- two very, very different things.  They can even have
some level of "Open Sourceness" about it, too -- a sunset clause that
states
that, in the event that you go out of business / are unwilling to provide
further support, the whole thing falls under the GPL for anyone to maintain. 
Keeps everybody happy.

There''s this widespread confusion that "giving people the
source" means
"giving them the source under an Open Source licence".  It
isn''t.  Way back
in the day, that''s how just about all software was provided -- you got
a
copy of the source on huge tapes, and you compiled it on your machine (which
was, of course, different to every other machine).  You used to get a copy
of the source for Unix, 6th edition, for instance, for US$140,000 -- which
entitled you to run it on one machine (but with as many users as you could
fit on a PDP-11 -- what a bargain!).
> Finally, I''m a huge fan of open source, but I completely
understand
> why many companies/developers choose not to go that route, and have
> absolutely no problem with it.
People can try to make money any way they like.  I just prefer it when
everyone is honest about the reasons for their business model.  (Note: not a
cheap shot at David, just a general statement of "feh" at the
proprietary
software companies, which I''m increasingly disgusted at).

- Matt

Heya :)
> -----Original Message-----
> From: rails-bounces@lists.rubyonrails.org 
> [mailto:rails-bounces@lists.rubyonrails.org] On Behalf Of Rabbit
> Sent: Monday, January 30, 2006 1:11 AM
> To: rails@lists.rubyonrails.org
> Subject: Re: [Rails] Re: Code security
> 
> LOL! Dude, SO much discussion for this. You''d solve your 
> freaking "problem" if you just got a HOST. You know, a "web 
> site" where you can throw your app on and let the client use 
> it without seeing the code.
Many, many clients will not let this happen. Many of the clients I deal with
want to maintain control over as much of their infrastructure as possible
hardware wise and they are so not going to put something critical on a
server that isn''t in their full control or part of their existing
managed
leased space.

Soulhuntre
----------
 
http://www.girl2.com  - my girls
http://www.the-estate.com  - my legacy
http://wiki.thegreybook.com - my project
http://weblog.soulhuntre.com - my thoughts

One idea that could be used to protect certain key algorithms without 
shoving the entire application onto a web server would be to set up a 
web service to handle certain critical procedures and then return the 
result.

Obviously there are limitations here, for one, the webserver would not 
have full access to your data tables, so you would need to extract any 
needed data and then transmit that to the web server (this could also be 
a security issue).

Properly done, you could provide the end user with almost all of the 
code while still holding onto key technology.

This is not a substitute for a good contract.

_Kevin

-- 
Posted via http://www.ruby-forum.com/.