Technical Answer - Protecting code in python

F

flit

Hello All,

I have a hard question, every time I look for this answer its get out
from the technical domain and goes on in the moral/social domain.
First, I live in third world with bad gov., bad education, bad police
and a lot of taxes and bills to pay, and yes I live in a democratic
"state" (corrupt, but democratic).
So please, don't try to convince me about the social / economical /
open source / give to all / be open / all people are honest until
prove contrary / dance with the rabbits...
Remember I need to pay bills and security.
Now the technical question:

1 - There is a way to make some program in python and protects it? I
am not talking about ultra hard-core protection, just a simple one
that will stop 90% script kiddies.

2 - If I put the code in web like a web service, how can I protect my
code from being ripped? There is a way to avoid someone using my site
and ripping the .py files?

Thanks and sorry for the introduction
 
T

Tom Wright

flit said:
1 - There is a way to make some program in python and protects it? I
am not talking about ultra hard-core protection, just a simple one
that will stop 90% script kiddies.

Put it in an executable? It's more hidden than protected, but it will stop a
fair few non-experts. I use and have been happy with pyinstaller, though
there are other options. I use it more for ease of distribution to
non-techy users, but it's also a simply way to hide your code.
2 - If I put the code in web like a web service, how can I protect my
code from being ripped? There is a way to avoid someone using my site
and ripping the .py files?

Configure your web-server properly and it will never serve up the .py files,
only the results generated by them. I've not done it with Python, but I
have set up a similar thing with Apache and XSLT where it will only give
the generated data, not the code which created it. This is true even if
there's an error in the code - it will just give "HTTP 500 Internal Server
Error" and dump something a bit more useful to its error log.
 
D

Diez B. Roggisch

flit said:
Hello All,

I have a hard question, every time I look for this answer its get out
from the technical domain and goes on in the moral/social domain.
First, I live in third world with bad gov., bad education, bad police
and a lot of taxes and bills to pay, and yes I live in a democratic
"state" (corrupt, but democratic).
So please, don't try to convince me about the social / economical /
open source / give to all / be open / all people are honest until
prove contrary / dance with the rabbits...
Remember I need to pay bills and security.
Now the technical question:

Most of these discussions aren't about open source or moral, but exactly
about what you ask - technicalities. A friend of mine is so f**ing fluent
with a disassembler, he immediately has whatever amount of credits he wants
in your usual simulation style game.

It's just a question of if the hurdles you put up are high enough for you
intended audience - and for some reason people feel that compiled code
would be much more safe. It's not. Unless very special measures are taken
(e.g. skype), but that then is also beyond the common C-compiler run.

And what almost always is not a point is that you've programmed something
that would be interesting for outher to rip apart and use in pieces. Sorry,
but 99% of all code is just a bit of glue logic - and the reluctance of
developers to even use explicitly bought and well-documented libraries
instead of rolling out their own, customized solution illustrates that
adjusting your mindset to that of somebody else is much more of a problem
than actually writing amounts of - mostly trivial - code.

The only _real_ interesting thing is copy-protection. But that's a problem
for all, also the compiler-camp-buddies.
1 - There is a way to make some program in python and protects it? I
am not talking about ultra hard-core protection, just a simple one
that will stop 90% script kiddies.

If you can, just deliver the pyc-files. Should be hard enough for most
people.
2 - If I put the code in web like a web service, how can I protect my
code from being ripped? There is a way to avoid someone using my site
and ripping the .py files?

A service doesn't expose those files, unless you somehow instruct it to do
so.

Diez
 
B

Bart Ogryczak

Now the technical question:

1 - There is a way to make some program in python and protects it? I
am not talking about ultra hard-core protection, just a simple one
that will stop 90% script kiddies.

Freeze. That should be hard enough for 99% of users.
2 - If I put the code in web like a web service, how can I protect my
code from being ripped? There is a way to avoid someone using my site
and ripping the .py files?

That's more of a question about the security of that particular
server. Normally if the server is well set up, there is no way that
unauthorized user could access source code form outside.
 
C

Carsten Haese

Hello All,

I have a hard question, every time I look for this answer its get out
from the technical domain and goes on in the moral/social domain.
First, I live in third world with bad gov., bad education, bad police
and a lot of taxes and bills to pay, and yes I live in a democratic
"state" (corrupt, but democratic).
So please, don't try to convince me about the social / economical /
open source / give to all / be open / all people are honest until
prove contrary / dance with the rabbits...
Remember I need to pay bills and security.

Developing open-source code and getting paid are not necessarily
mutually exclusive, but I digress...
Now the technical question:

1 - There is a way to make some program in python and protects it? I
am not talking about ultra hard-core protection, just a simple one
that will stop 90% script kiddies.

Not providing .py files and instead only providing .pyc files is
perfectly viable, really easy to do, and provides adequate protection
against casual/accidental code inspection.

A sufficiently determined person will be able to retrieve the source
code, but that is also true for any other imaginable protection scheme.
In order for the user's computer to execute your code, you have to give
the user's computer your code. Once that happens it's only a question of
how determined you are to obfuscate the code and how determined they are
to break your obfuscation.
2 - If I put the code in web like a web service, how can I protect my
code from being ripped? There is a way to avoid someone using my site
and ripping the .py files?

Providing the code as a service instead means that you don't have to
give the user your code, since the code runs on your hardware. As long
as the server is properly configured, it will never serve the source
code. You would still have to worry about malicious users trying to gain
unauthorized root access to your server, and then they can do whatever
they want, including looking at your super secret and super valuable
code.

It all comes back down to the question of how determined you are to
protect your code and how determined your users are to break into it.

-Carsten
 
S

Steven D'Aprano

1 - There is a way to make some program in python and protects it? I
am not talking about ultra hard-core protection, just a simple one
that will stop 90% script kiddies.

Protect it from what? Viruses? Terrorists? The corrupt government? Your
ex-wife cutting it up with scissors? People who want to copy it? People
who will look at your code and laugh at you for being a bad programmer?

Until you tell us what you are trying to protect against, your question
is meaningless.

Is your program valuable? Is it worth money? Then the 90% of script
kiddies will just wait three days, and download the program off the
Internet after the real hackers have broken your protection.

If it is NOT valuable, then why on earth do you think people will put up
with whatever "protection" you use? Why won't they just use another
program?

2 - If I put the code in web like a web service, how can I protect my
code from being ripped? There is a way to avoid someone using my site
and ripping the .py files?

Don't make the .py files available on the web server.

[penny drops]

Hang on, you want us to believe that you're a serious computer programmer
with a seriously valuable program that's worth "protecting", and you don't
know that? I smell a troll.
 
F

flit

First I wanna thanks the all people who gives good contribution to
this thread, thank you all..
Now I have something more to say:

OK, that kind of answer is what I was trying to avoid..

Protect it from what? Viruses? Terrorists? The corrupt government? Your
ex-wife cutting it up with scissors? People who want to copy it? People
who will look at your code and laugh at you for being a bad programmer?

Until you tell us what you are trying to protect against, your question
is meaningless.

In this time I supposed someone took too much coffee..But will
ignore..

Is your program valuable? Is it worth money? Then the 90% of script
kiddies will just wait three days, and download the program off the
Internet after the real hackers have broken your protection.

If it is NOT valuable, then why on earth do you think people will put up
with whatever "protection" you use? Why won't they just use another
program?

It´s doesn´t matter if it is the next BIG HIT Ultra-fast-next-google
thing or a programm to take control of my "pet-people-living-in-
welfare-trying-to-be-political"
It´s a technical question, If you can´t answer it ok, I will not
suppose that you are it or that, it´s not a personal question or
matter.

Don't make the .py files available on the web server.

Now we have a real contribution to the thread. Thank You
[penny drops]

Hang on, you want us to believe that you're a serious computer programmer
with a seriously valuable program that's worth "protecting", and you don't
know that? I smell a troll.

Again, you don´t have to believe, suppose or think anything about me,
are you capable to make any contribution? Technical one? Are you
sooooooo good and "serious" programmer that you did not develop your
personal skills, and thinks that winning an argument in internet is
the best thing in the world?

Thanks all,
Flit
(the-not-serious-programmer-that-wanna-to-be-a-big-capitalist-and-take-
the-money-from all)
 
S

Steven D'Aprano

First I wanna thanks the all people who gives good contribution to
this thread, thank you all..

But they haven't. They've given answers to an ill-posed question. How can
anyone tell you how to "protect code" when you haven't told us what you
want to protect against?


In this time I supposed someone took too much coffee..But will
ignore..

That is the absolute core of the problem. What are you trying to protect
against? If you can't even answer that question, then how do you expect to
find a solution?

If a customer came to you and offered you money to "protect this data",
what would you do?

Surely the FIRST thing you would need to do is find out, protect it from
what? What problem does the customer want you to solve?

Does the customer want error correction codes so he can transmit it
over a noisy data channel? Does the customer just want an off-site backup
he can take home? Does he want it encrypted? Or does he just want it
copyrighted, so it is legally protected? Or does he want you to go out and
hire a big strong man with a club to stand over the disk and hit people on
the head if they get too close?

It´s doesn´t matter if it is the next BIG HIT Ultra-fast-next-google
thing or a programm to take control of my "pet-people-living-in-
welfare-trying-to-be-political"
It´s a technical question,

No it isn't. You only think it is a technical question.

You said it yourself: you have to make money. How much money are you going
to make if you spend all your time solving the technical question of
"protecting" your software, if nobody wants your software? What is the
value of the protection? Should you spend a thousand hours protecting it,
or a hundred hours, or ten, or one, or one minute, or nothing at all?

What's your business model for making money? That is far more important
than whether you can send out a .pyc file or how many people know how to
use the Python disassembler.

Maybe you'll make MORE money by giving the software away for free and
charging for services. Would you rather sell ten copies of your software
at $20 each, or give away ten thousand copies and charge five hours of
consulting services at $100 an hour?

The "technical problem" is the LEAST important part of the real problem,
which is "how do I make money from this?".
 
G

gtb

Hello All,

I have a hard question, every time I look for this answer its get out
from the technical domain and goes on in the moral/social domain.
First, I live in third world with bad gov., bad education, bad police
and a lot of taxes and bills to pay, and yes I live in a democratic
"state" (corrupt, but democratic).
So please, don't try to convince me about the social / economical /
open source / give to all / be open / all people are honest until
prove contrary / dance with the rabbits...
Remember I need to pay bills and security.
Now the technical question:

1 - There is a way to make some program in python and protects it? I
am not talking about ultra hard-core protection, just a simple one
that will stop 90% script kiddies.

2 - If I put the code in web like a web service, how can I protect my
code from being ripped? There is a way to avoid someone using my site
and ripping the .py files?

Thanks and sorry for the introduction

Maybe an application for php. Then any html visible is not source but
result of execution of php.
 
C

Carsten Haese

Maybe an application for php. Then any html visible is not source but
result of execution of php.

How is that different from HTML output that's generated by a Python
script?

-Carsten
 
B

Bruno Desthuilliers

gtb a écrit :
(snip)



Maybe an application for php. Then any html visible is not source but
result of execution of php.

Why would you want to use php ??? Python is far better for web
development than php will ever be.
 
B

Bruno Desthuilliers

flit a écrit :
First I wanna thanks the all people who gives good contribution to
this thread, thank you all..
Now I have something more to say:

OK, that kind of answer is what I was trying to avoid..
(snip half-angry answers to Steven)

Flit, whether you like the way Steven expresses itself or not, I think
you should get over the tone and pay attention to *what* he actually says.

As a side note, and from a purely technical POV, the most reliable
protection is to *not* distribute the code. IOW, make your app (or the
critical parts of it) a web service. This is not an absolute protection,
but that's the best you can get AFAICT.
 
B

Ben Finney

Steven D'Aprano said:
Is your program valuable? Is it worth money? Then the 90% of script
kiddies will just wait three days, and download the program off the
Internet after the real hackers have broken your protection.

The real hackers wouldn't be doing that.

The crackers, however, might.
 
P

Paul Boddie

flit said:
OK, that kind of answer is what I was trying to avoid..

Perhaps, but it's possible that people get tired of answering the same
questions over and over again. A search in comp.lang.python for
"protect source code" will provide lots of answers, some as purely
technical as you desire.
In this time I supposed someone took too much coffee..But will
ignore..

I think Mr D'Aprano seeks too much clarification for what would appear
to be a question that would be satisfied by a "fire and forget"
response, in that people telling you the usual things (distribute
bytecode, make an executable, deploy a Web service) and leaving you to
figure it out yourself would be sufficient, especially from my
perspective since I view binary-only software rather dimly having had
to work with it (or mostly around it) fairly often in previous
corporate environments. However, in choosing to ignore what he has to
say (although you've made a bad job of actually ignoring it) you lose
out on some good insights.
It´s doesn´t matter if it is the next BIG HIT Ultra-fast-next-google
thing or a programm to take control of my "pet-people-living-in-
welfare-trying-to-be-political"
It´s a technical question, If you can´t answer it ok, I will not
suppose that you are it or that, it´s not a personal question or
matter.

No, but as was pointed out, if you make something valuable enough and
apply complicated enough technology to protect it, you spend your way
into becoming a top ten target for people who will "unprotect" it in
every sense. So it's a social and an economic matter as well as an
ethical and a technical one. Don't agree? You should read the paper
about reverse engineering Skype - the effort used Python, by the way -
and that was done ostensibly for network management purposes, although
lots of people would quite happily leverage that kind of work for
other purposes. Sure, most people won't care about your program enough
to do anything more than run a decompiler on it (either a Python
bytecode one or a machine code one), and that might be too
sophisticated for your users, but it's a tradeoff defined in terms of
who your users are and what the reward might be for them in getting
access to your "secrets".
Now we have a real contribution to the thread. Thank You

It was surely the answer all along. Software as a service, you know?
[penny drops]

Hang on, you want us to believe that you're a serious computer programmer
with a seriously valuable program that's worth "protecting", and you don't
know that? I smell a troll.
[...]

Again, you don´t have to believe, suppose or think anything about me,
are you capable to make any contribution? Technical one? Are you
sooooooo good and "serious" programmer that you did not develop your
personal skills, and thinks that winning an argument in internet is
the best thing in the world?

If the advice to not distribute your code - instead offering the
software as a service - was genuinely enlightening to you then I think
Mr D'Aprano has made quite a contribution that you fail to
acknowledge. If the enlightenment is merely for show, expressing shock
that Python programs can't be protected when they're distributed, then
stopping short of using the T word (as in the word used by Mr D'Aprano
above) I'd say that you should acquaint yourself with "copy
protection" and DRM mechanisms as well as the phenomenon that is
Trusted (a.k.a. Treacherous) Computing, then apply that knowledge to
any other favourite platforms and tools you may have.

Paul

P.S. I suppose sarcasm is a natural response when someone feels like
they're being lectured to, but you could pay good money and not get
advice as comprehensive as this. Still, I suppose it beats people
thinking that software patents are somehow cool tools of innovation
that confer technical and social credibility.
 
B

Bart Willems

Steven said:
Protect it from what? Viruses? Terrorists? The corrupt government? Your
ex-wife cutting it up with scissors? People who want to copy it? People
who will look at your code and laugh at you for being a bad programmer?

Until you tell us what you are trying to protect against, your question
is meaningless.

Is your program valuable? Is it worth money? Then the 90% of script
kiddies will just wait three days, and download the program off the
Internet after the real hackers have broken your protection.

If it is NOT valuable, then why on earth do you think people will put up
with whatever "protection" you use? Why won't they just use another
program?

Some of us live in a world where consultants get paid for the work they
do /by clients/. That work might be delivering the solution to some kind
of problem. Whatever that problem is, a Python script can apparently
solve it. Just to give a few ideas: grabbing data from a web server,
converting output from system x in such a way that it can be used by
system y, etc.

Now - and I know this will take a enormous leap of imagination, but try!
try! - imagine that whatever the original problem was, it has changed.
Maybe server x has changed into server z. Maybe the web page that we're
pulling data from has a different format now. We don't know.

The consultant will leave a program that is of course highly
configurable so that the client can make simple changes him/herself. He
has to, as his clients will stop doing business if they have to call him
for every fart they let out.

However, there can also be more complex cases. What the consultant wants
is that the client will call HIM to fix the problem, not the director's
nephew who took two weeks of classes.
Or the consultant wants to be sure that the two dimwitted nimcumpoops at
the office who /think/ they can write code don't screw up the script
when they're trying to 'fix' or 'improve' something. And blame the
consultant if the script all of a sudden stops working 'we did not do
anything. It just stopped working all of a sudden'.
Or he doesn't want to expose the passwords needed to logon to the
database server. Or whatever.

So, there are reasons enough why someone wants to render his code
immutable and/or unreadable *to some extent*. He doesn't have to fear
reverse engineering by decompiling assembly code. If the 'hacker' can do
that, he can probably put the whole script together. The consultant's
problem are the people who shouldn't be touching or reading the script
because they have no clue what they are doing and want to 'help' anyway.
The OP clearly states that he does not want a discussion as to why to
protect the code. All he wants is something that turns 'readable,
changeable python' into 'unreadable, immutable python'. Yes, there are
ways to get around it, but that is not his 'target audience' for the
'protection'.

Yes, I do smell a troll, but not in the original mail.
 
F

flit

I didn´t reply to the last D´Aprano reply just to avoid this kind of
social war.
And yes, I know that if I want 100% security I should not distribute
my code. And there is a better way that is not doing any code to be
more secure and bug-free (now I am using irony).
And no, I am not supporter of software patents, RIAA and DRM.

And Mr. Willems understood very well my problem and my condition. And
others too in the beginning of the post.
But look...after mr D´Aprano enters it starts this social warfare.....

So where is the troll?

In fact I think the heroes series was based in this thread (Hiros read
it and come back in time)
Because there is some people who have special DNAs that give powers to
see beyond their problems and environments, so they can read the post,
understand and give technical details, understanding this is not
comp.lang.python.social-activism-political-be-open-not-evil

About trolls:

No way I will do this question only to say to others:
"Look python can´t do this like xxxx does.."
or
"Look now I will active the "pet-people-living-in-welfare-trying-to-be-
political" in the list and they will join and sing songs about the
revolution.."

if you do a search in this group for this problem you will see more
political whining than answers in this type of questions...

Just look this post!! Seriously read one by one.... Begining ok.. 2
ok ,3 ok , 4 ok .. and bang..!!!

Going back in the beginning I said :

"So PLEASE, don't try to convince me about the social / economical /
open source / give to all / be open / all people are honest until
prove contrary / dance with the rabbits... "

So who is failing to acknowledge the question? AND AGAIN someone will
search for "protecting python code" and will see the same whining and
political threads...
I think the python community is great, and I love the python language,
if you search for superflit in this group you will see that I love
python and the community, I am a newbie, but I am not imposing my
beliefs I am just saying that my reality is a little different and I
need a answer for a particular problem.
That is the reason because I always recommend people to travel out of
their CONTINENT, and stay more than 5 months living in another
culture.
I can elaborate a more "intelectual" answer but sorry. I have to work
at 6:00 am to pay my bills, and if I get unemployed there is no
welfare, nothing , nada, zero.
I believe in reincarnation, so next time I will aim better :)
For me this thread is closed, and I think this is the most crazy
thread in this list.
Thank you all, for the technical answers, and sorry if I insult anyone
directly or indirectly ( I am a political incorrect person)
That´s all folks..finito
 
S

Steven D'Aprano

The real hackers wouldn't be doing that.

The crackers, however, might.

I quote Bruce Schneier:

For years I have refused to play the semantic "hacker" vs. "cracker" game.
There are good hackers and bad hackers, just as there are good
electricians and bad electricians. "Hacker" is a mindset and a skill set;
what you do with it is a different issue.
[end quote]

See his essay on "What is a hacker" here:
http://www.schneier.com/blog/archives/2006/09/what_is_a_hacke.html

In addition, virtually nobody outside of the IT hacker subculture knows
what you're talking about if you talk about crackers. Out network was
brought down by a biscuit???
 
S

Steven D'Aprano

Or the consultant wants to be sure that the two dimwitted nimcumpoops at
the office who /think/ they can write code don't screw up the script
when they're trying to 'fix' or 'improve' something. And blame the
consultant if the script all of a sudden stops working 'we did not do
anything. It just stopped working all of a sudden'.
Or he doesn't want to expose the passwords needed to logon to the
database server. Or whatever.

So, there are reasons enough why someone wants to render his code
immutable and/or unreadable *to some extent*.

And that's what I've been asking. How to protect the code depends on what
you are trying to protect it from. Why is that so hard to understand?

In the above scenarios, one solution is:

chmod a-w script.py

If they don't have write permission, they can't "improve" it by adding
bugs. If they take the time and effort to give themselves write
permission, then they have accepted responsibility for breaking it.

The OP clearly states that he does not want a discussion as to why to
protect the code.

The OP might not want such a discussion, but without it, any answers he
gets are sure to be bad answers except by accident.


All he wants is something that turns 'readable,
changeable python' into 'unreadable, immutable python'.

chown scriptuser script.py # a unique user
chmod a-rwx script.py
chmod u+rx script.py

I believe that fully meets the functional requirements. Where shall I send
the invoice?
 
S

Steven D'Aprano

Going back in the beginning I said :

"So PLEASE, don't try to convince me about the social / economical /
open source / give to all / be open / all people are honest until
prove contrary / dance with the rabbits... "

I have done NONE of that.

I've just pointed out, time and time again, that you haven't asked a
meaningful question.

Even after all these posts, still won't tell us what you are trying to
protect against. People copying your program? Competitors infringing your
patents? Your "corrupt and "bad" government (your words) infringing your
moral rights as an author? Your customer editing your program and breaking
it? Who knows? I don't. I wonder whether even you do.

You keep asking for a technical solution, even if a technical solution
is not appropriate, but you won't tell us what the problem is. Tell us the
threat you want to protect against, and we'll suggest meaningful solutions.
 
B

Bart Willems

Aaah, *now* we're getting somewhere... :)
chown scriptuser script.py # a unique user
chmod a-rwx script.py
chmod u+rx script.py

I believe that fully meets the functional requirements. Where shall I send
the invoice?

If it works on the target machine - I am under the assumption that the
client is some kind of government office - more likely to run Windows
than it is to run unix/linux/etc.

Who has a similar solution for windows?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top