J2EE protection

[JSC]

Hi,

I know it is always a tough question to talk about source code
protection in Java world. But eventually, it is quite important.
We have a J2EE application, hosted on the customer site. It is currently
in ASP (not even ASP.NET). This is a security problem for us as the
client could decide to copy the applation and sell it to others.
We are going to change the technology. J2EE is a good candidate for most
questions we have, but the same problem is still here when the "source
code security" comes.
The server is in the client IT room, as well as the DB. What kind of
protection could we use to prevent them to copy and paste the software
to another server in another place?
Ok, we have already compiled some native code check to prevent this
"copy and paste" stuff. But what about reverse engineering? They can
still copy the JARs, see how we call the native methods and shortcut it.
There is few chance we decide to obfuscate the code as well (ok, it
could come, but it is not the priority if there is better solution, as
obfuscation only makes the code difficult to read). Any other tested
solution? We have some budget if necessary.
If we cannot prevent reverse engineering, we might have then to go to
..NET... increasing seriousely the development cost...

Thank you.

 

[jan V]

If we cannot prevent reverse engineering, we might have then to go to

.NET... increasing seriousely the development cost...

And .NET has a magic bullet for this problem? You seem to be implying that
it has, maybe you can share that insight?

 

[Thomas Weidenfeller]

This is a security problem for us as the
client could decide to copy the applation and sell it to others.

That's not a security problem, that's a copy protection problem. Much
has been said about software copy protection in the last few decades,
and the summary is still the same: There is currently no feasible 100%
secure software copy protection mechanism.

Java is not really different from other languages in that matter. The
only point is that cracking a protection mechanism in Java can be a
little bit simpler because of the possibility to decompile Java.
However, there are more than enough people out there who can crack
native binary copy protection mechanisms with an assembler-debugger in
no time at all - so the possibility to decompile Java doesn't make a
copy protection mechanism implemented in Java any worse than one
implemented in a native binary. Both can be cracked in no time by the
right people.

You should consider non-technical protection mechanisms, e.g. ask your
lawyer to draft a strong contract with penalties, etc.. And if you don't
trust your customer at all, you should consider not selling to him.

You should also plan for a certain amount of lost sales due to copying
in your business plan.

Alternatively, consider selling them the application as remote service.
Where you host the application software one of your servers, on your
facilities, and they just get to use it from remote. Or you could
consider going open source and sell consulting and other services for
the software, and don't worry about the copying at all.

Ok, we have already compiled some native code check to prevent this
"copy and paste" stuff. But what about reverse engineering? They can
still copy the JARs, see how we call the native methods and shortcut it.

Yes, and whatever you do, whatever language you use, people can do that.
It is not a question of Java or .NET, it is a question of dedication and
motivation.

/Thomas

 

[jan V]

You should consider non-technical protection mechanisms, e.g. ask your

lawyer to draft a strong contract with penalties, etc..

Exactly. And because there are plenty of very expensive and very incompetent
lawyers out there, you may want to do a bit of legal research yourself and
write these clauses yourself. Anyone with regular commercial exposure should
know basic contract law anyway. The main thing to watch for when drafting
your own contract clauses is not to fall foul of unfair/unenforceable
contract laws, such as The Unfair Contract Terms Acts in England/Wales
jurisdiction.

Carefully analysing say 5-10 contracts/licenses from other commercial
software vendors is also a great source of information.

And if you don't trust your customer at all, you should consider not

selling to him.

Totally agree. Well-drafted contracts are a waste of time and money when
you're dealing with dishonest clients. Because they may give you no option
but to be pushed to considering the legal action route, and that's usually a
route you want to avoid at all cost (to preserve your sanity).

 

[znôrt]

What kind of
protection could we use to prevent them to copy and paste
the software to another server in another place?

The best one available: focus on support, service and knowhow, not on code
hiding or ownership. Customers don't really pay for your code, but for you to
provide tools and solutions for their everchanging needs. Superb code without
support is of very little use for the average customer. Good code with good
support makes for solid, perdurable and profitable relationships.

I wouldn't mind about my customers playing with the code I provide, even if
they reuse it, as long as our relationship is good. And I really don't think any
of them would risk making profit selling my code, since such activity (if
signifficant) can be easily tracked and has potentially serious legal
consecuences.

BTW, I could not think of a more psychedelic reason to move to .net. :-D

 

[jan V]

And I really don't think any

of them would risk making profit selling my code, since such activity (if
signifficant) can be easily tracked and has potentially serious legal
consecuences.

Potentially.... i.e. only if *you* actually decide to throw silly amounts of
time and money at lawyers.. and even then the consequences could be that
because of lawyer (or even judge!) incompetence, you lose your litigation
case, and are looking at a potentially company-damaging total legal bill. A
fair number of people in the business world know this, and are therefore
willing to cross the line by breaching their contractual terms to make more
money. Look at how Microsoft constantly treats the law as something to play
with.. lots of smaller players likewise exploit the system.

 

[JSC]

And .NET has a magic bullet for this problem? You seem to be implying that
it has, maybe you can share that insight?

I don't know I don't know much of the detailed .NET protection, but I
expected that compiling to .dll the .aspx projects could be stronger
than any Java obfuscation/protection. I could be wrong, I don't have
enough experience in the .NET domain.

 

[JSC]

That's not a security problem, that's a copy protection problem. Much
has been said about software copy protection in the last few decades,
and the summary is still the same: There is currently no feasible 100%
secure software copy protection mechanism.

Yes... I know that.

Java is not really different from other languages in that matter. The
only point is that cracking a protection mechanism in Java can be a
little bit simpler because of the possibility to decompile Java.
However, there are more than enough people out there who can crack
native binary copy protection mechanisms with an assembler-debugger in
no time at all - so the possibility to decompile Java doesn't make a
copy protection mechanism implemented in Java any worse than one
implemented in a native binary. Both can be cracked in no time by the
right people.

Right. We do have copyright and name protection for our product in US
and Europe. We already managed the legal stuff (we are going to deposit
the source code to the lawyers next month).
Also, our software is for a specific industry. And the average IT guy in
this industry hardly knows how to backup a DB.
I am not really worry about copy of the code or reverse engineering by
our customer (IT person or not). We trust their loyalty to us.
What I worry is that we have serious concurrents, and if somebody simply
copy our code to a CD, then sell it for a few bucks to our concurrents,
this would be a bad thing.
Also we cannot host the application ourself, as the average customer
dosn't have internet connection (we are really in a specific industry).

So I guess what we've done is enough: some license checking through JNI
stuff, legal protections...

Thanks

 

[Andrew Thompson]

Also we cannot host the application ourself, as the average customer
dosn't have internet connection (we are really in a specific industry).

Specifically what industry would that be?

Even your average crop farmer is directly selling their
produce through the futures markets over the web these
days!

I am pretty sure their are radio based connections capable
of providing internet to antarctic bases.

You did mention your customers are themselves running servers,
yet you maintain they cannot manage an internet connection?

Most bizarre and curious!

 

[znôrt]

Potentially.... i.e. only if *you* actually decide to throw
silly amounts of time and money at lawyers.. and even then
the consequences could be that because of lawyer (or even
judge!) incompetence, you lose your litigation case, and
are looking at a potentially company-damaging total legal
bill. A fair number of people in the business world know
this, and are therefore willing to cross the line by
breaching their contractual terms to make more money. Look
at how Microsoft constantly treats the law as something to
play with.. lots of smaller players likewise exploit the
system.

Good point. But I'm a small player too, and as such I'm mostly interested in
what I called 'solid, perdurable and profitable relationships'. There's some
amount of mutual confidence in this. I hardly would start a lawsuit for such a
case, maybe if there was really big money at sake, but most probably I
would simply, worst case, drop the customer. What I find effective and
discouraging is "the threat" of a possible suit. And untill now my company
hasn't managed to bring up such clever code as to be such a temptation for
my customers for them to cheat us, prepare to invest in lawsuit costs and,
more importantly, lose our support. Add to it that we usually sell the source
code, too. Important fact is that most of our customers business are not IT
related. When working for IT companies, you always have to give the source
away, anyway (ourselves wouldn't admit a strategic component form other
companies without source, wouldn't we?). There is, however, the case when
you collaborate with another IT vendor in a shared project. Yes, that's a
special case. Well, we have had some of such cases, but we haven't applied
any special hiding technology and there hasn't been any trouble until now.

The bottom line is, I really believe that making money with stolen code is
much harder than writing it. Maybe not harder, but .... "specialized" Just
happy that MS's example hasn't taken over my country, yet. XD

regards

 

[JSC]

Specifically what industry would that be?

Even your average crop farmer is directly selling their
produce through the futures markets over the web these
days!

I am pretty sure their are radio based connections capable
of providing internet to antarctic bases.

You did mention your customers are themselves running servers,
yet you maintain they cannot manage an internet connection?

Most bizarre and curious!

Yes, butit seems you don't know the "holiday industry". Our customers
are hotels and holiday club (not isolated places, but chains of hotels).
And most of them are running 2 months of tests before upgrading service
pack2 on XP. The problem is not they can't get internet. Those hotels
don't want internet connections. They have internal LAN, but no output
to the internet. And it ain't going to change. But as long as they have
money to pay and we can protect ourself a minimum, that's a good deal.

 

[Andrew Thompson]

On Thu, 04 Aug 2005 18:49:06 +0700, JSC wrote:

(What industry does not have internet access?)

Yes, butit seems you don't know the "holiday industry". Our customers
are hotels and holiday club (not isolated places, but chains of hotels).
And most of them are running 2 months of tests before upgrading service
pack2 on XP. The problem is not they can't get internet. Those hotels
don't want internet connections.

...which just raises the question. What sort of 'hotels'
or 'holiday clubs' would not offer (at the very least)
phone plug-in modem connections for their guests?

Given that, all it takes is a modem and (even an) SP2
knobbled IE to 'do the net'..

Am I missing something here? It is *guests* right?
You are not just using euphemisms for the burgeoning
incarceration industry, ..eh?

 

[JSC]

On Thu, 04 Aug 2005 18:49:06 +0700, JSC wrote:

(What industry does not have internet access?)




..which just raises the question. What sort of 'hotels'
or 'holiday clubs' would not offer (at the very least)
phone plug-in modem connections for their guests?

Given that, all it takes is a modem and (even an) SP2
knobbled IE to 'do the net'..

Am I missing something here? It is *guests* right?
You are not just using euphemisms for the burgeoning
incarceration industry, ..eh?

This is going quite off-topic. But note that I never said they don't
offer internet connection in hotel rooms or around the parks. I meant
they don't want in their front/back office, i.e., for the staff.