Rails - Jul 2010 - How can I hide my Ruby code?

Hi,

I have my application on a Ubuntu 9.04 server edition. now i want to
hide my application some how, like a setup file creation on .net or
through any other way. so that nobody can use my code without my
permission. How can I do that?
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Hi,

I have my application on a Ubuntu 9.04 server edition. now i want to
hide my application some how, like a setup file creation on .net or
through any other way. so that nobody can use my code without my
permission. How can I do that?

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 6 July 2010 09:06, Sumanta Das
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>
wrote:
> Hi,
>
> I have my application on a Ubuntu 9.04 server edition. now i want to
> hide my application some how, like a setup file creation on .net or
> through any other way. so that nobody can use my code without my
> permission. How can I do that?
What do you mean by hide the code?  The ruby code should not be
visible to a user, only the html should be visible.

Colin

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Yes. Ruby code should not be visible and if possible then also the html 
too(should not be visible).

Thanks in advance.
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

I think that the OP wants the code to be unreadable in the same way that
compiled apps are unreadable (for some value of unreadable).

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 6 July 2010 10:08, Sumanta Das
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>
wrote:
> Yes. Ruby code should not be visible and if possible then also the html
> too(should not be visible).
Is that comment in response to my suggestion that the ruby code should
not be visible?  It is best to leave in the comment you are referring
to so that the email makes sense.

What I meant was that the ruby code will not be visible anyway - a
visitor to the website cannot see the ruby code, only the html.

As for your suggestion that you want the html not to be visible, how
do you expect someone to use the website if the html is not visible,
as it is this that is interpreted by the browser to display the web
page?

Colin

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 6 July 2010 10:17, Peter Hickman
<peterhickman386-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
wrote:
> I think that the OP wants the code to be unreadable in the same way that
> compiled apps are unreadable (for some value of unreadable).
Unreadable by who?  A visitor to the website cannot see the Ruby code
anyway, and the html must be visible for the browser to display it.
Unless he is talking about javascript.  Sumanta - is it the javascript
you are trying to hide?

Colin

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Ok...may be I failed to clear my view. Sir, I have a server machine(OS- 
Ubuntu 9.04 server edition). Now the application is running. What I want 
is if somebody has the server''s User Name and Password then he/she can 
see my code. I want to protect my programs(Raw code). Is there any way?
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

When we use .Net we can create a setup file for a project, so there is 
no chance to change or to see the code/program. this kind of hiding am 
talking about. Or if there is any way so that I can encrypt my code 
without interrupting the execution of the application.

Thanks in advance.
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 6 July 2010 10:29, Sumanta Das
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>
wrote:
> Ok...may be I failed to clear my view. Sir, I have a server machine(OS-
> Ubuntu 9.04 server edition). Now the application is running. What I want
> is if somebody has the server''s User Name and Password then he/she
can
> see my code. I want to protect my programs(Raw code). Is there any way?
That is not a Rails question, it is a Ubuntu question.  Set the
permissions on the folders so that only you and the web server can
view them.  The Ubuntu support mailing list
(https://lists.ubuntu.com/mailman/listinfo/ubuntu-users) would be a
good place to ask if you need further help on this.  Though I would
suggest reading up on folder permissions and trying it yourself first.

Colin

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

.NET is a compiled language like Java.

Ruby is only compiled to an internal format, each and every time it is run.

As such there is no standard Ruby compiler (like .NET or Java). Although
compilers for Ruby do exist (but I have no experience of them).

You might like to look at JRuby which, if I remember this correctly, my
allow you to compile Ruby code down to a Java class file. Any JRuby experts
here who could cast some light on this?

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

JRuby is an interpreter, written in Java for ruby. So it is no different
from the standard MRI interpreter.

Samanta, What you are looking for is encoder/decoder, I only know of
http://www.rubyencoder.com/ try if it works for you.

Regards,
Amiruddin Nagri,
Bangalore, 560008, KA
India

Y! IM : amir_nagri-/E1597aS9LQAvxtiuMwx3w@public.gmane.org
GTalk : amir.nagri-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org



On Tue, Jul 6, 2010 at 3:26 PM, Peter Hickman <
peterhickman386-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
> .NET is a compiled language like Java.
>
> Ruby is only compiled to an internal format, each and every time it is run.
>
> As such there is no standard Ruby compiler (like .NET or Java). Although
> compilers for Ruby do exist (but I have no experience of them).
>
> You might like to look at JRuby which, if I remember this correctly, my
> allow you to compile Ruby code down to a Java class file. Any JRuby experts
> here who could cast some light on this?
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<rubyonrails-talk%2Bunsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> .
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Sir, as you suggested, I already did it- permission changing. But the 
problem is, as i said before, that if anybody know the password & 
username of the server then again he/she can change the permission very 
easily- if he/she wished to access/change the code/program . So from 
Ubuntu I will not get(most probably) any way to do that. Thats why am 
searching for a Ruby way to do this. Any help?

Thanks In Advance.
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 6 July 2010 10:34, Sumanta Das
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:
> Or if there is any way so that I can encrypt my code
> without interrupting the execution of the application.

You can do this (I''ve had to do it for a client) but it''s not
simple and I
can''t share my solution''s code.  However, you basically go
along the lines
that you have a class responsible for decrypting/encrypting code (I used
Base64 encoded AES).  You then have Rake tasks that go through all Ruby (I
did YAML too as YAML files are executed as ERB first) files, encrypt the
content and replace the file contents with contents like this:

require ''config_decryptor''
eval ConfigDecryptor.decrypt(...ENCRYPTED_CONTENT_HERE...)

Your config_decryptor.rb file has to be in the load path - I handled this by
requiring the full path in a config/preinitializer.rb file.

The eval is done once as the Ruby class files are cached in memory during
production mode.

The next problem is getting the key in to Ruby.  I did this by having a Rake
task that puts it in to a specific named file in /tmp which is then read by
my class (during a call in preinitializer.rb) and deleted.  It''s not
ideal,
but it works for my purpose and would also work for yours.

The last step, if you''re using Passenger ensure that the last child is
never
killed off (if it is, it will lose the decryption key which is now only in
memory).  I can''t remember the setting but there''s a timeout
setting which
you can set to zero so the last child never dies.

I would however, recommend against doing this - server security and not
giving out the username/password is far and away the best solution.  I work
in a specific industry in a country with a lot of security requirements so
had no choice - but it''s a solution and something I wished I never had
to
write ;-)

Cheers,


Andy

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 6 July 2010 11:19, Andy Jeffries
<andy-4Fjv1yF9AWJvmwGHilWZ5bVCufUGDwFn@public.gmane.org>
wrote:
> You can do this (I''ve had to do it for a client) but it''s
not simple
> <snip super secret process>
Very interesting approach. Will file that for future reference.
> The last step, if you''re using Passenger ensure that the last
child is never
> killed off (if it is, it will lose the decryption key which is now only in
> memory).  I can''t remember the setting but there''s a
timeout setting which
> you can set to zero so the last child never dies.
Hope you''ve got good UPS and redundancy too (and a well-negotiated
call-out fee to re-encrypt everything if the YTS boy unplugs the power
:-)
> I would however, recommend against doing this - server security and not
> giving out the username/password is far and away the best solution.
+1

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 6 July 2010 11:31, Michael Pavling
<pavling-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> On 6 July 2010 11:19, Andy Jeffries
<andy-4Fjv1yF9AWJvmwGHilWZ5bVCufUGDwFn@public.gmane.org> wrote:
> > You can do this (I''ve had to do it for a client) but
it''s not simple
> > <snip super secret process>
>
> Very interesting approach. Will file that for future reference.
>
I hope you never need it :-)

> > The last step, if you''re using Passenger ensure that the last
child is
> never
> > killed off (if it is, it will lose the decryption key which is now
only
> in
> > memory).  I can''t remember the setting but there''s a
timeout setting
> which
> > you can set to zero so the last child never dies.
>
> Hope you''ve got good UPS and redundancy too (and a well-negotiated
> call-out fee to re-encrypt everything if the YTS boy unplugs the power
> :-)

We''re developing the site but the day to day running is down the client
(but
they have lots of power from various sources, redundancy and sysadmins to
type the password back in).

Cheers,


Andy

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 6 July 2010 13:18, Andy Jeffries
<andy-4Fjv1yF9AWJvmwGHilWZ5bVCufUGDwFn@public.gmane.org>
wrote:
> On 6 July 2010 11:31, Michael Pavling
<pavling-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>
>> On 6 July 2010 11:19, Andy Jeffries
<andy-4Fjv1yF9AWJvmwGHilWZ5bVCufUGDwFn@public.gmane.org> wrote:
>> > You can do this (I''ve had to do it for a client) but
it''s not simple
>> > <snip super secret process>
>>
>> Very interesting approach. Will file that for future reference.
>
> I hope you never need it :-)
>
>>
>> > The last step, if you''re using Passenger ensure that the
last child is
>> > never
>> > killed off (if it is, it will lose the decryption key which is now
only
>> > in
>> > memory).  I can''t remember the setting but
there''s a timeout setting
>> > which
>> > you can set to zero so the last child never dies.
>>
>> Hope you''ve got good UPS and redundancy too (and a
well-negotiated
>> call-out fee to re-encrypt everything if the YTS boy unplugs the power
>> :-)
>
> We''re developing the site but the day to day running is down the
client (but
> they have lots of power from various sources, redundancy and sysadmins to
> type the password back in).
Is the client trying to keep the code hidden from his own sysadmins or
are you trying to hide it from the client?

Colin

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Yes, Sir. I am trying to hide the code from client due to some reason. I 
am afraid of code tampering. So I want to hide it.
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

You do this in linux - not in ruby.  Make the directory and all the
files viewable by no one but the process that runs them
(apache.apache), and make it so no one can login as apache.apache.  Of
course, if you login as root, you can see anything, so if the client
has root then all bets are off.



On Tue, Jul 6, 2010 at 8:35 AM, Sumanta Das
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>
wrote:
> Yes, Sir. I am trying to hide the code from client due to some reason. I
> am afraid of code tampering. So I want to hide it.
> --
> Posted via http://www.ruby-forum.com/.
>
> --
> You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Exactly, proper permission management in Linux is the key to making  
this work. On top of that, if it''s an internet-enabled server, I would
never ever ever ever ever allow username + password access to the  
server unless that user is sandboxed, let alone allow root access  
(which is like putting a big sign on your porch saying: THE KEY IS  
UNDERNEATH THE DOORMAT). Use SSH key-based authentication instead.  
Give your customer an account that has rights to view their own home  
folder, but nothing else.

If you really want to hide the code from the customer, host it  
yourself and let them pay for the hosted solution. If that''s a no go  
and they don''t want to give up their server management rights, then  
just rely on a very good contract (i.e. let a lawyer make it) that  
prohibits them from messing with the code. We should all know by know  
how effective DRM is, in whatever form you want to sell it (hiding  
code, checking licenses, always online measures, …)

The company I work for had the same mindset, since we came from  
desktop apps where we had set up this whole structure of internet  
authenticating clients and monitoring systems and license keys and  
what not. My boss was afraid that our RoR projects would be copied or  
distributed illegally and he would lose money. Well, we didn''t  
implement any security at all, and we''ve made a lot more money more  
than we used to, simply because we could spend more time making a  
great app instead of implementing great license validations and  
restrictions (if you can call those great to start off with). If  
you''re worried about them changing the maximum number of users etc in  
your code, rethink your licensing strategy.

On 06 Jul 2010, at 15:39, Jason Michael wrote:
> You do this in linux - not in ruby.  Make the directory and all the
> files viewable by no one but the process that runs them
> (apache.apache), and make it so no one can login as apache.apache.  Of
> course, if you login as root, you can see anything, so if the client
> has root then all bets are off.
>
>
>
> On Tue, Jul 6, 2010 at 8:35 AM, Sumanta Das
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>
> wrote:
>> Yes, Sir. I am trying to hide the code from client due to some  
>> reason. I
>> am afraid of code tampering. So I want to hide it.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Andy Jeffries wrote:
> On 6 July 2010 10:34, Sumanta Das
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:
> 
>> Or if there is any way so that I can encrypt my code
>> without interrupting the execution of the application.
If your client is determined to access your code even an encryption of 
the Ruby source code will not be sufficient. In order for MRI to 
interpret Ruby it must be decrypted. If the client has full access to 
the system then this means that they also have access to the encryption 
keys.

This is the same issue that makes decrypting DVDs possible. The keys 
must be available to the system performing the decryption. Now maybe 
doing this will discourage a client from making the attempt, but if they 
are determined then there''s nothing stopping them from hiring someone
to
"crack" your encryption. But, as I said it''s not really
cracking it
since the encryption keys exist in a location where the client has 
access.

Other compiled languages such as Java or .Net don''t effectively protect
your code either. Java (and likely .Net) can be easily decompiled into 
amazingly readable source code.

In the end the only real solution is to protect your source code using 
operating system security and by contractual licensing.
-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On Jul 6, 6:19 am, Andy Jeffries
<a...-4Fjv1yF9AWJvmwGHilWZ5bVCufUGDwFn@public.gmane.org>
wrote:
> On 6 July 2010 10:34, Sumanta Das
<li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:
>
> > Or if there is any way so that I can encrypt my code
> > without interrupting the execution of the application.
>
> You can do this (I''ve had to do it for a client) but it''s
not simple and I
> can''t share my solution''s code.  However, you basically
go along the lines
> that you have a class responsible for decrypting/encrypting code (I used
> Base64 encoded AES).  You then have Rake tasks that go through all Ruby (I
> did YAML too as YAML files are executed as ERB first) files, encrypt the
> content and replace the file contents with contents like this:
>
> require ''config_decryptor''
> eval ConfigDecryptor.decrypt(...ENCRYPTED_CONTENT_HERE...)
>
> Your config_decryptor.rb file has to be in the load path - I handled this
by
> requiring the full path in a config/preinitializer.rb file.
>
> The eval is done once as the Ruby class files are cached in memory during
> production mode.
>
> The next problem is getting the key in to Ruby.  I did this by having a
Rake
> task that puts it in to a specific named file in /tmp which is then read by
> my class (during a call in preinitializer.rb) and deleted.  It''s
not ideal,
> but it works for my purpose and would also work for yours.
>
> The last step, if you''re using Passenger ensure that the last
child is never
> killed off (if it is, it will lose the decryption key which is now only in
> memory).  I can''t remember the setting but there''s a
timeout setting which
> you can set to zero so the last child never dies.
>
Interesting solution, but also not secure. Anybody who has root can
read out your running processes'' memory spaces and either (a) grab the
key and yer pwned or (b) grab the bytecodes, decompile and yer pwned.

Add to that bonus nasties like directly frobbing the core of a running
VPS instance from the hypervisor, and you''re back in security hell
again.

BTW, .Net code is similarly not "secure", since you''re
handing over
binaries with the setup program.

The real question is not "is the code 100% secure" - it''s
physically
impossible for that to be the case unless the server itself is somehow
locked up, etc etc etc. The real question is, "is the code worth
stealing"? If it is, then the best protection to invest in is the
oldest: LAWYERS. The reason that (for instance) stolen copies of the
Windows source aren''t available has nothing to do with l33t security
on the code repository, but rather the army of rabid lawyers bound to
descend on anyone that posts it. If your code is worth stealing, then
it''s worth getting an effective license drawn up - and worth
*pursuing* that license in court should it be broken.

--Matt Jones

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Props to Andy''s solution - thats pretty awesome... hopefully not
everyone needs that!

On Jul 6, 5:19 am, Andy Jeffries
<a...-4Fjv1yF9AWJvmwGHilWZ5bVCufUGDwFn@public.gmane.org>
wrote:
> On 6 July 2010 10:34, Sumanta Das
<li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:
>
> > Or if there is any way so that I can encrypt my code
> > without interrupting the execution of the application.
>
> You can do this (I''ve had to do it for a client) but it''s
not simple and I
> can''t share my solution''s code.  However, you basically
go along the lines
> that you have a class responsible for decrypting/encrypting code (I used
> Base64 encoded AES).  You then have Rake tasks that go through all Ruby (I
> did YAML too as YAML files are executed as ERB first) files, encrypt the
> content and replace the file contents with contents like this:
>
> require ''config_decryptor''
> eval ConfigDecryptor.decrypt(...ENCRYPTED_CONTENT_HERE...)
>
> Your config_decryptor.rb file has to be in the load path - I handled this
by
> requiring the full path in a config/preinitializer.rb file.
>
> The eval is done once as the Ruby class files are cached in memory during
> production mode.
>
> The next problem is getting the key in to Ruby.  I did this by having a
Rake
> task that puts it in to a specific named file in /tmp which is then read by
> my class (during a call in preinitializer.rb) and deleted.  It''s
not ideal,
> but it works for my purpose and would also work for yours.
>
> The last step, if you''re using Passenger ensure that the last
child is never
> killed off (if it is, it will lose the decryption key which is now only in
> memory).  I can''t remember the setting but there''s a
timeout setting which
> you can set to zero so the last child never dies.
>
> I would however, recommend against doing this - server security and not
> giving out the username/password is far and away the best solution.  I work
> in a specific industry in a country with a lot of security requirements so
> had no choice - but it''s a solution and something I wished I never
had to
> write ;-)
>
> Cheers,
>
> Andy
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

>
> > We''re developing the site but the day to day running is down
the client
> (but
> > they have lots of power from various sources, redundancy and sysadmins
to
> > type the password back in).
>
> Is the client trying to keep the code hidden from his own sysadmins or
> are you trying to hide it from the client?
>
The first option :-)

Cheers,


Andy

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

>
> >> Or if there is any way so that I can encrypt my code
> >> without interrupting the execution of the application.
>
> If your client is determined to access your code even an encryption of
> the Ruby source code will not be sufficient. In order for MRI to
> interpret Ruby it must be decrypted. If the client has full access to
> the system then this means that they also have access to the encryption
> keys.
>
> This is the same issue that makes decrypting DVDs possible. The keys
> must be available to the system performing the decryption. Now maybe
> doing this will discourage a client from making the attempt, but if they
> are determined then there''s nothing stopping them from hiring
someone to
> "crack" your encryption. But, as I said it''s not really
cracking it
> since the encryption keys exist in a location where the client has
> access.
>
Indeed, finding them in memory.  I believe though that the requirement is to
stop casual looking/tampering by the company''s sysadmins rather than to
stop
a dedicated expert cracker.

Cheers,


Andy

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

>
> Interesting solution, but also not secure. Anybody who has root can
> read out your running processes'' memory spaces and either (a) grab
the
> key and yer pwned or (b) grab the bytecodes, decompile and yer pwned.
>
Yep.  Completely agree.  They weren''t planning on stopping crackers,
but
sysadmins that "knew some ruby".

> Add to that bonus nasties like directly frobbing the core of a running
> VPS instance from the hypervisor, and you''re back in security hell
> again.
>
They''re not using VPS/hypervisors.

Cheers,


Andy

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 7 July 2010 01:25, Skip Levens
<skip-Kujo3J8I2p0BgSeligxNI1aTQe2KTcn/@public.gmane.org> wrote:
> Props to Andy''s solution - thats pretty awesome... hopefully not
> everyone needs that!
>
Thanks Skip and I agree with your hope.

There are so many weird things I''ve done on this project, it''s
been a
great/interesting experience...

Cheers,


Andy

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 7 July 2010 11:14, Andy Jeffries
<andy-4Fjv1yF9AWJvmwGHilWZ5bVCufUGDwFn@public.gmane.org>
wrote:
>
> Yep.  Completely agree.  They weren''t planning on stopping
crackers, but
> sysadmins that "knew some ruby".
>

Bad news on that front, all the sys admins I know use Ruby. They start with
Puppet and then start writing their own applications.

Sys admins, by virtue of their job, are highly skilled individuals. Least
all the ones I know.

YMMV

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 07 Jul 2010, at 12:24, Peter Hickman wrote:
> Yep.  Completely agree.  They weren''t planning on stopping
crackers,
> but sysadmins that "knew some ruby".
>
> Bad news on that front, all the sys admins I know use Ruby. They  
> start with Puppet and then start writing their own applications.
>
> Sys admins, by virtue of their job, are highly skilled individuals.  
> Least all the ones I know.
In a way, you can praise yourself lucky, in my years of work (and  
that''s quite a lot of years actually) I''ve come across all
kinds of
sysadmins: very knowledgable people, capable people, people that think  
they are capable, people that are complete and utter fools, citing  
things they picked up from some magazine, completely misunderstood,  
but still think they got their position with good reason, people that  
know they are incapable of their job and try to make me do their work  
for them.

Guess it all depends on what company you work with and especially in  
midsize and small companies there''s a huge difference in knowledge and
experience when it comes to IT staff.

Getting a bit OT here, but reading this brings back so many  
memories... :-)


Best regards

Peter De Berdt

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On Jul 7, 11:13 am, Andy Jeffries
<a...-4Fjv1yF9AWJvmwGHilWZ5bVCufUGDwFn@public.gmane.org>
wrote:
> Indeed, finding them in memory.  I believe though that the requirement is
to
> stop casual looking/tampering by the company''s sysadmins rather
than to stop
> a dedicated expert cracker.
>
You can also do fun things with ruby2ruby, eg


require ''rubygems''
require ''ruby2ruby''
class Secret
  def secret_method
    %w(I am secret).each {|p| puts p}
  end
end

puts Ruby2Ruby.translate(Secret)

outputs:
class Secret < Object
  def secret_method
    ["I", "am", "secret"].each { |p| puts(p) }
  end
end

In theory an interested person could attach themselves to one of your
ruby processes with gdb and if they knew enough about the ruby c api
they could load up stuff like ruby2ruby and inspect your classes.

Fred

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.