Protecting ruby/rails source: How?

[Carmine Moleti]

Hi to everyone,

I have to develop a new application and there are good chances that it
will be "web" based (it should be used in an intranet).

Now I'm evaluating ruby and rails as the tool of choice. They both are
great stuff!

There's one thing stopping me so far, and it's that the application's
source code will be available to everyone.
I thought I could put all the registration/license info in a database
table giving the "normal" user a read only access, thus cutting out
"week end"'s pirates.

This, tough, won't stop more skilled "pirates" to modify source code in
order to:
- Ignore the registration/license table
- Use an "ad hoc" one to fake a valid license

Are there any methods to avoid this?
I've read about ruby source code obfuscators, but there seems to be
noone available (production ready) yet. Still, are they useful for this
purpose?

I forgot to say that the app has to be installed both on windows systems
and on linux systems.

Thanks in advance for your reply.

Regards,
Carmine

 

[coachhilton]

I made a post about this topic a couple of years ago. The idea I was
going with at the time was obfuscation. However, the Ruby guru's out
there convinced me that even that wouldn't stop a serious hacker from
being able to read or modify the code. As I recall, the final answer
was to use the Ruby to C converter and compile an exe, which would be
much harder to modify. Here's the thread for that post, in the event
its at all useful to you.

Ken

http://groups.google.com/group/comp...803c20654?q=obfuscate&rnum=1#f31a34f803c20654

 

[Jonathan Heinen]

Hello,

why the code would be aviable to every one if you write a web based Ruby
on Rails application?
Didn't i understand you well? Do you want to write webserver aplication
useable by a browser as client? Or will you write clients in ruby
connecting with databases?

Jonathan

 

[Carmine Moleti]

Hello Jonathan,

why the code would be aviable to every one if you write a web based Ruby
on Rails application?
Didn't i understand you well? Do you want to write webserver aplication
useable by a browser as client? Or will you write clients in ruby
connecting with databases?

Sorry for not being enough clear, english is not my language.

There are two kinds of applications waiting to be developed (separately)
and that have nothing to do with each other.

The first one is a ruby with GUI and DB and no rails.
The second one is a rails one.

In either cases, the source code will be placed at a "short" reach from
the users' hands.

I mean, I'm not the owner of the customers servers/workstations hw,
hence I can impose very few limits on what contents can be seen/touched
by anyone via permissions.
This means that there's the possibility that the sources can be modified
without my company's permission. As I wrote before, a ruby skilled
person could modify the sources to bypass the license protecion code and
thus copying the application to someone else.

Thanks for your help.

 

[Psychotron]

I have to develop a new application and there are good chances that it
will be "web" based (it should be used in an intranet).

Now I'm evaluating ruby and rails as the tool of choice. They both are
great stuff!

There's one thing stopping me so far, and it's that the application's
source code will be available to everyone.
I thought I could put all the registration/license info in a database
table giving the "normal" user a read only access, thus cutting out
"week end"'s pirates.

This, tough, won't stop more skilled "pirates" to modify source code in
order to:
- Ignore the registration/license table
- Use an "ad hoc" one to fake a valid license

I think is a waste of time. A basic protection is good and the poor
skilled crackers are gone.

Perhaps rubyscript2exe can be useful in your case
<http://www.erikveen.dds.nl/rubyscript2exe/index.html>

But the source is copied in temp location upon execution...

 

[Carmine Moleti]

Psychotron ha scritto:

I think is a waste of time. A basic protection is good and the poor
skilled crackers are gone.

Perhaps rubyscript2exe can be useful in your case
<http://www.erikveen.dds.nl/rubyscript2exe/index.html>

But the source is copied in temp location upon execution...

I do agree it's a waste of time, since there's nothing to prevent source
modification and/or copying the whole app yet.

Well I guess I'll have to report this to the application's stakeholder,
then if he wish to take this "risk" ok, else I'll have to evaluate
something different than ruby/rails.

 

[Neil Wilson]

<i>Are there any methods to avoid this? </i>

Yes. Use legal action and random audits. The solution is not technical
but legal. You source is copyright and the user has only a license to
employ. If they break that license you sue them.

Trying to hide a program is a waste of time. It makes maintenance
harder and doesn't stop anybody who wants to working out what your
program does.

If it is more important to protect your code than to be able to develop
it quickly then I would question why you are using Ruby and Rails in
the first place.

Stop looking for a technical solution. There isn't one to this
particular problem. The solution lies in the reporting and auditing
process.

 

[Carmine Moleti]

First off, thanks for your reply.

Neil Wilson ha scritto:

<i>Are there any methods to avoid this? </i>

Yes. Use legal action and random audits. The solution is not technical
but legal. You source is copyright and the user has only a license to
employ. If they break that license you sue them.

This is a good solution, and doing random auditings, will allow to check
wether or not there have been souce code modifications. What about
unauthorized redistributions?

Trying to hide a program is a waste of time. It makes maintenance
harder and doesn't stop anybody who wants to working out what your
program does.

I do agree. So, do you think the only solution to avoid unauthorized
redistribution is to "pray" and hope in customers' behaving good?

If it is more important to protect your code than to be able to develop
it quickly then I would question why you are using Ruby and Rails in
the first place.

Protect the code is not more important, it's also important to me (if
there's a way to).

I'm trying to push ruby/rails in the company's business, and "code
hiding" is something I'll be asked about for sure.

 

[Tom Agnew]

Are file system protections an option? Can you use strict permissions
or ACL's on your production files?

 

[Neil Wilson]

<i>I do agree. So, do you think the only solution to avoid unauthorized
redistribution is to "pray" and hope in customers' behaving good?</i>

Not quite that negative. More speak softly and carry a big stick. Not
quite sure if that
particular metaphor translates that well though.

Essentially the solution is process based, not technology based.
Hacking and illegal duplication is a fact of life, but, once you feel
the need to go beyond pragmatic security controls to something that is
going to make life harder, then the solution is with the lawyers not
the programmers.

And I think you'll find that the majority of people are honest and only
too happy to show that they are complying with their licences.

NeilW

 

[Carmine Moleti]

Hi Tom,

Tom Agnew ha scritto:

Are file system protections an option? Can you use strict permissions
or ACL's on your production files?

As of now, I'm evaluating the following possibilities:

- On Windows platforms (almost exclusively workstations):
- The installer takes care of license code validation
- It's a "poor" solution but I've to provide one

- On Linux platforms:
- This environment won't be too "hostile" since almost every linux
server at our customer's places is managed by us


Thanks

 

[Carmine Moleti]

Hi Neil,

Neil Wilson ha scritto:

<i>I do agree. So, do you think the only solution to avoid unauthorized
redistribution is to "pray" and hope in customers' behaving good?</i>

Not quite that negative. More speak softly and carry a big stick. Not
quite sure if that
particular metaphor translates that well though.

Care to elaborate this methaphor?

Essentially the solution is process based, not technology based.
Hacking and illegal duplication is a fact of life, but, once you feel
the need to go beyond pragmatic security controls to something that is
going to make life harder, then the solution is with the lawyers not
the programmers.

Let's hope this application will be so widespread it will need lawyers
to protect copyright!

Thanks

 

[Alain FELER]

Carmine Moleti a écrit :

Hi Neil,

Neil Wilson ha scritto:



Care to elaborate this methaphor?



Let's hope this application will be so widespread it will need lawyers
to protect copyright!

Thanks

In my very first programming course, the teacher show us a very simple
and very short program (about ten lines of code) with very cryptic
variable names (let's say a b c d ...). No one of us could understand
what that code was supposed to do. The idea was "use understandable
variable names". I suppose it would quite easy to write a ruby program
to translate all your sources so that every class, method and variable
would be meaningless in your distributions... Then it would cost much
more efforts to anybody to reverse engineer your code. Is this silly ?