Python obfuscation

[Anton Vredegoor]

Modern equivalent of serialization (publishing one chapter at a time on
the web, the next chapter to come only if the author receives enough
payment for the previous one) have been attempted, but without much
success so far; however, the holy grail of "micropayments" might yet
afford a rebirth for such a model -- if paying for a chapter was
extremely convenient and cheap, enough people might choose to do so
rather than risk the next chapter never appearing. Remember that, by
totally disintermediating publishers and bookstores, a novelist may
require maybe 1/10th of what the book would need to gross in stores, in
order to end up with the same amount of cash in his or her pockets.

One could go on for a long time, but the key point is that there may or
may not exist viable monetization models for all sorts of endeavours,
including the writing of novels, depending on a lot of other issues of
social as well as legal structures. Let's not be blinded by one model
that has worked sort of decently for a small time in certain sets of
conditions, into believing that model is the only workable one today or
tomorrow, with conditions that may be in fact very different.

Maybe this micropayment thing is already working and active. What is
the cost of a mouseclick and what is the monetarial value of the fact
that someone is clicking on a link? Someone bought virtual property for
real money and sold it later with a lot of profit. There are pages
where one can buy pixels. Maybe me replying to you will provoke some
other chain of events with payoffs for you or me (I hope positive

The idea of using a webservice to hide essential secret parts of your
application can only work well if one makes some random alterations to
the results of the queries. Like GPS signals that are deliberately made
less exact. Obfuscated Python code could for example return variable
precision numbers with a slight random alteration. I think such things
would make it harder to reverse engineer the code behind the server.

But the more one messes with the ideal output the more often the user
will rather click another link. (or launch another satellite)

Anton.

what's the current exchange rate for clicks and dollars?

 

[Stephen Kellett]

My point exactly. A good application of moderate to large size (100K
lines of code) is about as large as a single person can write without
automation,

You have not been working with the right people. They do exist, but they
are rare.

Stephen

 

[Mike Meyer]

Your rights are anything you can do that is not forbidden - the US
constitution is explicitly designed in this way, something that people
often forget. There is no difference between an "explicit" and an
"inferred" right, by design. If you read the text of the US
constitution, even the phrasing makes this clear. In fact, the format
of the Bill of Rights was considered harmful by some of the founding
fathers, because they felt that people would interpert it exactly as
they have - as enumerating the limits of government power, instead of
enumerating the powers themselves.

It should be noted that the 10th amendment was added to the bill of
rights to deal with this fear. It states explicitly that any rights
not listed were reserved to the states or the public.

<mike

 

[Alex Martelli]

Maybe this micropayment thing is already working and active. What is
the cost of a mouseclick and what is the monetarial value of the fact
that someone is clicking on a link? Someone bought virtual property for

I believe that all of the currently dominant models for pricing in this
field are based on auctions -- each would-be advertiser bids how many
cents (or dollars;-) a click-through into their advertisement is worth
to them, Google or one of our competitors shows the "highest bidding"
ads for a query or site (adjusted by all sort of factors, such as for
example the click-through rates), and money changes "hands" only if a
click-through does happen (the amount of money involved may be the
amount that was bid, or a lesser one based for example on a
"second-price auction" or other mechanisms yet -- there's a lot of
fascinating economic literature on auction mechanisms and the various
effects slightly different mechanisms may have).

If an auction mechanism is well-designed and tuned in minute detail, it
will presumably determine accurately the "monetarial value of [a click]
on a link" when that link is an ad paid for by such a mechanism. Value
of clicks on other kinds of links is harder to compute, of course, since
the monetization may be extremely indirect, if one exists at all.

real money and sold it later with a lot of profit. There are pages
where one can buy pixels. Maybe me replying to you will provoke some
other chain of events with payoffs for you or me (I hope positive

Maybe -- but you'd have to estimate the probabilities in order to
estimate the expected payoffs;-).

The idea of using a webservice to hide essential secret parts of your
application can only work well if one makes some random alterations to
the results of the queries. Like GPS signals that are deliberately made

I disagree on this general statement and I have already given two
counterexamples:

a. a webservice which, for some amount X of money, gives an excellent
heuristic estimate of a good cutting-path for a woodcutting tool (for a
set of shapes to be cut out of standard-sized planks of wood by a
numerically driven cutter): this is a case where ESR, acting as a
consultant, advised his clients (who had developed a heuristic for this
task which saved a lot of wood compared to their competitors') to keep
their code closed-source, and it makes a good use case for the "hide
essential secret parts" in general;

b. a (hypothetical) website that, given time-space coordinates (and some
amount Y of money), produces and returns weather predictions that are
better than those you can get from its competitors.

It appears to me that any application of this kind could work well
without at all "making random alterations" to whatever. Point is, if
you develop a better algorithm (or, more likely, heuristic) for good
solutions to such problems, or predictions of just about anything which
might have economic value to somebody, using a webservice to hide the
essential secret parts of your discovery is an option, and it might be a
preferable alternative to relying on patents (since software patents may
not be enforceable everywhere in the world, and even where they're
nominally enforceable it could prove problematic and costly to actually
deter all would-be competitors from undercutting you). I do not see
anything in your post that contradicts this, except the bare unsupported
assertion that a webservice "can only work well if one makes random
alterations".

But the more one messes with the ideal output the more often the user
will rather click another link. (or launch another satellite)

Of course. If my "better weather predictor" is in fact based not on
inventing some new algorithm/heuristic, but on having better or more
abundant raw data due to my private network of satellites or other
observation platforms, this doesn't change the economic situation by all
that much (except that patenting may not even be an option in the latter
case, if there's no patentable innovation in that private network); a
competitor *could* reach or surpass my predictions' quality by investing
enough to re-develop the heuristic or duplicate the sensors-network.
So, my pricing should probably take that risk into account.

Deliberately giving predictions worse than I could have given, in this
context, seems a deliberate self-sabotage without any return.

what's the current exchange rate for clicks and dollars?

As far as I know, it varies wildly depending on the context, but I
suspect you can find ranges of estimates on the web.


Alex

 

[Bengt Richter]

I disagree on this general statement and I have already given two
counterexamples:

I agree with your disagreement in general, but I think Antoon may be
alluding to the "covert channel" problem, where sometimes randomization
of an external observable is a defense. E.g., if a web site login process
responds faster with a rejection of a bad user name (i.e. is not in the authorized
user list) than it does for a valid user name and a bad password, the timing
difference can be used over time to eke out the private user name list, and
make subsequent password attacks that much easier.

The time difference of course will be degraded with noise, but if the signal
is there (user is/isn't valid), it can be extracted, given time for
statistics -- which of course leads to the defense of only so many
tries per some time interval per username. The point re radomization
is that in this example the covert information channel is variation in time
and after introducing enough artifical delay in the faster paths to make all
approximately equal, an added random delay can pretty much wipe out the channel.

As to covert channels revealing the particulars of a secret algorithm used
to calculate optimum wood cutting or do excellent weather prediction, I'd
say social engineering is probably an easier attack, and a well designed
sequence of problems presented to the wood cutting site would probably
have more information in the answers than in any other observables I can think of.

Which perhaps gets towards Antoon's point (or my projection thereof ;-) -- i.e.,
that the anwers provided in an experimental probe of an algorithm are "signal"
for what you want to detect, and randomization may put noise in the signal to
defeat detection (even though enough noise might make the algorithm output unsaleable ;-)

a. a webservice which, for some amount X of money, gives an excellent
heuristic estimate of a good cutting-path for a woodcutting tool (for a
set of shapes to be cut out of standard-sized planks of wood by a
numerically driven cutter): this is a case where ESR, acting as a
consultant, advised his clients (who had developed a heuristic for this
task which saved a lot of wood compared to their competitors') to keep
their code closed-source, and it makes a good use case for the "hide
essential secret parts" in general;

b. a (hypothetical) website that, given time-space coordinates (and some
amount Y of money), produces and returns weather predictions that are
better than those you can get from its competitors.

It appears to me that any application of this kind could work well
without at all "making random alterations" to whatever. Point is, if
you develop a better algorithm (or, more likely, heuristic) for good
solutions to such problems, or predictions of just about anything which
might have economic value to somebody, using a webservice to hide the
essential secret parts of your discovery is an option, and it might be a
preferable alternative to relying on patents (since software patents may
not be enforceable everywhere in the world, and even where they're
nominally enforceable it could prove problematic and costly to actually
deter all would-be competitors from undercutting you). I do not see
anything in your post that contradicts this, except the bare unsupported
assertion that a webservice "can only work well if one makes random
alterations".

Yes, IMO that was an overgeneralization of an idea that may however have
some actual narrow applicability.

Of course. If my "better weather predictor" is in fact based not on
inventing some new algorithm/heuristic, but on having better or more
abundant raw data due to my private network of satellites or other
observation platforms, this doesn't change the economic situation by all
that much (except that patenting may not even be an option in the latter
case, if there's no patentable innovation in that private network); a
competitor *could* reach or surpass my predictions' quality by investing
enough to re-develop the heuristic or duplicate the sensors-network.
So, my pricing should probably take that risk into account.

Deliberately giving predictions worse than I could have given, in this
context, seems a deliberate self-sabotage without any return.


As far as I know, it varies wildly depending on the context, but I
suspect you can find ranges of estimates on the web.

The growth of virtual worlds with virtual money and virtual/"real"
currency exchange is interesting. People are actually making real
money investing in and developing virtual real estate and selling
virtual currency profits for real-world money ;-)

Regards,
Bengt Richter

 

[The Eternal Squire]

You have not been working with the right people. They do exist, but they

are rare.

Elucidate?

 

[Anton Vredegoor]

I agree with your disagreement in general, but I think Antoon may be
alluding to the "covert channel" problem, where sometimes randomization
of an external observable is a defense. E.g., if a web site login process
responds faster with a rejection of a bad user name (i.e. is not in the authorized
user list) than it does for a valid user name and a bad password, the timing
difference can be used over time to eke out the private user name list, and
make subsequent password attacks that much easier.

Pardon me, but I'm Anton, not Antoon (well maybe I am but lets keep
this distinction in order to avoid mental hash collisions)

I agree with Alex and Bengt that my statement was too general and I
even admit that as I wrote it down the thought of making it less
provocative crossed my mind . However I felt safe because I wrote 'only
work *well*' instead of 'only work *if*' and what is working well is
open for discussion isn't it? Further in my post I wrote something
about adding random fluctuations making it harder to reverse engineer a
procedure so I felt even safer. Not so with Alex's thorough analysis
though

What was mostly on my mind (but I didn't mention it) is that for
something to be commercially viable there should be some kind of
pricing strategy (NB in our current economic view of the world) where a
better paying user gets a vip interface and poor people get the
standard treatment.

Since one has to have the optimal result anyway in order to sell it to
the best payers it would be impractical to recompute less accurate
values. Why not just add a random part to make it less valuable for the
unpaying user? I'm thinking about things like specifiying a real value
interval where the user can extract data from (this is also a data
compression method, see arithmetic coding for more info).

Which perhaps gets towards Antoon's point (or my projection thereof ;-) -- i.e.,
that the anwers provided in an experimental probe of an algorithm are "signal"
for what you want to detect, and randomization may put noise in the signal to
defeat detection (even though enough noise might make the algorithm output unsaleable ;-)

Yeah, sometimes people measure temperature fluctuactions in the CPU in
order to get clues about how an algorithm works But in fact my mind
works more like some intuitive device that suggests that maybe some
point is safe enough to post or not, without always thinking through
all the details.

If the heuristic always gives the same answer to the same problem it
would be easier to predict the results. Oh no, now some mathematician
surely will prove me wrong

Yes, IMO that was an overgeneralization of an idea that may however have
some actual narrow applicability.

Ok. Although it's a bit tricky to prove this by using an example where
the randomness is already in the problem from the start. If one groups
very chaotic processes in the same category as random processes of
course.

Not always, for example with a gradient in user status according to how
much they pay. Note that I don't agree at all with such practice, but
I'm trying to explain how money is made now instead of thinking about
how it should be made.

The growth of virtual worlds with virtual money and virtual/"real"
currency exchange is interesting. People are actually making real
money investing in and developing virtual real estate and selling
virtual currency profits for real-world money ;-)

Yes. Someday our past will be just a variation from the ideal
development that was retroactively fitted to the state the future is
in.

Nice to be speaking to you both.

Anton

 

[Alex Martelli]

What was mostly on my mind (but I didn't mention it) is that for
something to be commercially viable there should be some kind of
pricing strategy (NB in our current economic view of the world) where a
better paying user gets a vip interface and poor people get the
standard treatment.

Some fields work well with such market segmentation, but others work
perfectly well without it. iTunes songs are 99 cents (for USA
residents; there IS some segmentation by national markets, imposed on
Apple by the music industry) whoever is buying them; I personally think
it would hurt iTunes' business model if the 99-cents song was a "cheap
version" and you could choose to "upgrade" to a better-sounding one for
extra money -- giving the mass-market the perception that they're
getting inferior goods may adversely hurt sales and revenue.

Market segmentation strategies and tactics are of course a huge field of
study, both theoretical and pragmatic (and it's as infinitely
fascinating in the theoretical view, as potentially lucrative or ruinous
in practical application). It's definitely wrong to assume, as in your
statement above, that uniform pricing (no segmentation, at least not
along that axis) cannot work in a perfectly satisfactory way.

If the heuristic always gives the same answer to the same problem it
would be easier to predict the results. Oh no, now some mathematician
surely will prove me wrong

"Easier" need not be a problem; even assuming that the heuristic uses no
aspect whatever of randomness, you may easily think of real-world cases
where ``reverse engineering'' the heuristic from its results is
computationally unfeasible anyway. Take the problem of controlling a NC
saw to cut a given set of shapes out of a standard-sized wood plank,
which is one of the real-world cases I mentioned. It doesn't seem to me
that trying to reverse-engineer a heuristic is any better than trying to
devise one (which may end up being better) from ingenuity and first
principles, even if you had thousands of outputs from the secret
heuristic at hand (and remember, getting each of this output costs you
money, which you have to pay to the webservice with the heuristic).

Ok. Although it's a bit tricky to prove this by using an example where
the randomness is already in the problem from the start. If one groups
very chaotic processes in the same category as random processes of
course.

Well, economically interesting prediction problems do tend to deal with
systems that are rich and deep and complex enough to qualify as chaotic,
if not random -- from weather to the price of oil, etc etc. But
problems of optimization under constraint, such as the NC saw one,
hardly qualify as such, it seems to me -- no randomness nor necessarily
any chaotic qualities in the problem, just utter computational
unfeasibility of algorithmic solutions and the attendand need to look
for "decently good" heuristics instead.

Not always, for example with a gradient in user status according to how
much they pay. Note that I don't agree at all with such practice, but
I'm trying to explain how money is made now instead of thinking about
how it should be made.

Money is made in many ways, essentially by creating (perceived) buyer
advantage and capturing some part of it -- but market segmentation is
just one of many ways. IF your predictions are ENORMOUSLY better than
those the competition can make, then offering for free "slightly
damaged" predictions, that are still better than the competition's
despite the damage, MIGHT be a way to market your wares -- under a lot
of other assumptions, e.g., that there is actual demand for the best
predictions you can make, the ones you get paid for, so that your free
service doesn't undermine your for-pay one. It just seems unlikely that
all of these preconditions would be satisfied at the same time; better
to limit your "free" predictions along other axes, such as duration or
location, which doesn't require your predictions' accuracy advantage to
be ENORMOUS _and_ gives you a lot of control on "usefulness" of what
you're supplying for free -- damaging the quality by randomization just
seems to be unlikely to be the optimal strategy here, even if you had
determined (or were willing to bet the firm that) marked segmentation is
really the way to go here.

Analogy: say you make the best jams in the world and want to attract
customers by showing them that's the case via free samples. Your
randomization strategy seems analogous to: damage your jam's free
samples by adding tiny quantities of ingredients that degrade their
flavor -- if your degraded samples are still much better than the
competitors' jam, and there's effective demand for really "perfect" jam,
this strategy MIGHT work... but it seems a very, very far-fetched one
indeed. The NORMAL way to offer free samples to enhance, not damage,
the demand for your product, would be to limit the samples along
completely different axes -- damaging your product's quality
deliberately seems just about the LAST think you'd want to do; rather,
you'd offer, say, only tiny amounts for sampling, and already spread on
toast so they need to be tasted right on the spot, enticing the taster
to purchase a jar so they can have the amount of jam they choose at the
time and place of their choosing.

I hope this analogy clarifies why, while I don't think deliberate damage
of result quality can be entirely ruled out, I think it's extremely
unlikely to make any sense compared to ofher market segmentation
tactics, even if you DO grant that it's worth segmenting (free samples
are an extremely ancient and traditional tactic in all kind of food
selling situations, after all, and when well-designed and promoting a
product whose taste is indeed worth a premium price, they have been
repeatedly shown to be potentially quite effective -- so, I'm hoping
there will be no debate that the segmentation might perfectly well be
appropriate for this "analogy" case, whether it is or isn't in the
originally discussed case of selling predictions-via-webservices).


Alex

 

[Bengt Richter]

Pardon me, but I'm Anton, not Antoon (well maybe I am but lets keep
this distinction in order to avoid mental hash collisions)

D'oh. I'm sorry. Please pardon _me_ ;-/

Regards,
Bengt Richter

 

[Serge Orlov]

That's irrelevant. We don't require a citable source to prove the
simple fact that x86 binaries do not by default contain symbol names
whereas Python .pyc and .pyo files do contain them. So any
decompilation of (for example) C++ code is going to lose all the
readable qualities, as well as missing any symbolic constants,
enumerations, templated classes and functions, macros, #includes,
inlined functions, typedefs, some distinctions between array indexing
and pointer arithmetic, which inner scope a simple data variable is
declared in, distinctions between functions/member functions declared
as not 'thiscall'/static member functions, const declarations, etc.

If you protection is actually boils down to "if (licensed) ..."
everything you described will just slightly inconvinient an experienced
cracker. I've read a cracker's detailed walkthrough, it took him 26
minutes to crack a program that asks for a serial number. Basically it
looks like this: set breakpoint on event where "OK" button is pressed
after a serial number is entered, set watchpoint on memory where the
serial number is stored, study all places where this memory is read,
find the ultimate "jump if" instruction.

You can definitely extract something useful from them, but without
symbol names you're going to have to be working with a good debugger
and a decent knowledge of how to use it if you want to find anything
specific. Whereas Python could give you something pretty obvious such
as:

6 LOAD_FAST 0 (licensed)
9 JUMP_IF_FALSE 9 (to 21)

I can suggest at least two methods to obfuscate python byte code:

1. Apply some function before writing byte code to file, apply reverse
function upon reading.

2. Take opcodes.h and assign new random numbers to opcodes, also take
ceval.c and reorder opcode handlers in the switch statement to make
reverse engeneering even harder.

I believe this will require at least several hours of manual work
before you can use stock python disassembler.

My interest lies in being able to use encrypted data (where 'data' can
also include parts of the code) so that the data can only be read by my
Python program, and specifically by a single instance of that program.
You would be able to make a backup copy (or 20), you could give the
whole lot to someone else, etc etc. I would just like to make it so
that you can't stick the data file on Bittorrent and have the entire
world playing with data that was only purchased once.

This is doable even in python. Basic idea is that you need to spread
your obfuscation code and blend it with algorithm:

1. Generate user identity on your server and insert it inside your
distribution. Spread it all over the code, don't store it in a file,
don't store in one big variable, instead divide the user identity in
four bits part and spread their storage over different places. Note
this actually doesn't have anything to do with python, it's true for
C/C++. If you don't follow this your protection is vulnerable to replay
attack: crackers will just distribute data file + stolen user identity.

2. Generate custom data files for each user, using various parts of
user id as scrambling key for different parts of the data file. For
example: suppose you have data file for a game and you store initial
coordinates of characters as coordinates (0..65535,0..65535) as four
bytes. Normal code to load them from file would like like

x,y = buf[0]+256*buf[1], buf[2]+256*buf[3]

obfuscated would look like

x,y = buf[0]+c*((buf[1]+ t + 7)&c), buf[2]+c*((buf[1]+ t + 7)&c)

where t contains some bits from user id and c==256



I hope it's not very vague description. I think this approach will do
what you want. Don't forget that you will also need to bind you program
to hardware, or users will just distribute your program + data file
together. I hope they won't mind that your program is tied to one
computer

 

[Steven D'Aprano]

My interest lies in being able to use encrypted data (where 'data' can
also include parts of the code) so that the data can only be read by my
Python program, and specifically by a single instance of that program.
You would be able to make a backup copy (or 20), you could give the
whole lot to someone else, etc etc. I would just like to make it so
that you can't stick the data file on Bittorrent and have the entire
world playing with data that was only purchased once.

Well, if and when you find a way to make water not wet and three-sided
squares, then you can turn your mind towards solving the *really* hard
problem: how to make bytes not copyable.

 

[Anton Vredegoor]

Money is made in many ways, essentially by creating (perceived) buyer
advantage and capturing some part of it -- but market segmentation is
just one of many ways. IF your predictions are ENORMOUSLY better than
those the competition can make, then offering for free "slightly
damaged" predictions, that are still better than the competition's
despite the damage, MIGHT be a way to market your wares -- under a lot
of other assumptions, e.g., that there is actual demand for the best
predictions you can make, the ones you get paid for, so that your free
service doesn't undermine your for-pay one. It just seems unlikely that
all of these preconditions would be satisfied at the same time; better
to limit your "free" predictions along other axes, such as duration or
location, which doesn't require your predictions' accuracy advantage to
be ENORMOUS _and_ gives you a lot of control on "usefulness" of what
you're supplying for free -- damaging the quality by randomization just
seems to be unlikely to be the optimal strategy here, even if you had
determined (or were willing to bet the firm that) marked segmentation is
really the way to go here.

Suppose I grant all your theories about optimal marketing strategies.
This still doesn't account for the way the market is behaving *now*. It
isn't in any way logical or optimal. For example in Holland (where I
live) complete governmental departments are dedicated to make life
miserable for the unemployed, for asylum seekers, for people that
disagree with any official policy. If looking at the recent
developments in France I find it hard to believe that such social
inequality an injustice develops naturally. To me it looks more like
it's caused by organized crime, where *official* legal governmental
organizations are either crimimal organizations themselves or are
cooperating with such organizations.

You seem to tackle the problem of python obfuscation by first proving
that it isn't feasible and then giving some kind of solution that will
work and give the desired result: webservices. However when I look at
obfuscation techniques I see a desire to profit from giving some person
the idea that he or she is superior to someone else because he has a
better product. In order to avoid copying we now need obfuscation. The
difficulty to copy the thing (whether it is a swiss watch, a sportscar,
designer clothes, the latest computer game, an ipod, a computer
program) is part of the advertising game and is the basis for
associating it with a certain status. If you look for a few minutes at
a TV screen and notice what the commercials are trying to tell you, you
will see that it's almost always that you will be better, stronger,
more popular or beautyfull etc. if only you use product X.

You are perfectly right if you would say that it is an illogical
strategy to make people feel better relative to other people in order
to get them to do something you want. Commercial entities could in
principle be free of such things but we live in a world that is
dominated by this worldview and if one tries to sell something one has
to take that into account.

So how to get the same kind of market segmentation (as you call it)
when you deploy your program as a webservice and where essentially the
cost for you (moving a few electrons to produce a solution to a
problem) is exactly the same whether you give the user a good or a bad
result. If you give optimal results to everyone, users will go to other
sites just because these sites give them opportunity to feel better
than other people, not because this is objectively better, but just
because that is how they think the world "works".

I hope this analogy clarifies why, while I don't think deliberate damage
of result quality can be entirely ruled out, I think it's extremely
unlikely to make any sense compared to ofher market segmentation
tactics, even if you DO grant that it's worth segmenting (free samples
are an extremely ancient and traditional tactic in all kind of food
selling situations, after all, and when well-designed and promoting a
product whose taste is indeed worth a premium price, they have been
repeatedly shown to be potentially quite effective -- so, I'm hoping
there will be no debate that the segmentation might perfectly well be
appropriate for this "analogy" case, whether it is or isn't in the
originally discussed case of selling predictions-via-webservices).

I agree it doesn't make sense. Like uncle Harry who thinks he can lay
golden eggs. We could cure him but we need the egss

Alternatively, lets just forget about obfuscation and try to get
people to freely share by promoting open source (and open webservices).

Anton

 

[Alex Martelli]

Suppose I grant all your theories about optimal marketing strategies.
This still doesn't account for the way the market is behaving *now*. It
isn't in any way logical or optimal. For example in Holland (where I
live) complete governmental departments are dedicated to make life

What makes you think that governmental departments are part of the
*market*?! Government behavior is controlled by laws that are vastly
different from those controlling market behavior; if you're interested,
you could study the "theory of public choice".

Studying "perfect" markets (which can be mathematically proven to be
optimal in some senses -- the Arrow-Debreu Model, for example) is
parallel to studying physical systems that do not have attrition or
other such complications -- it's mathematically sharp (not easy, but WAY
easier than taking account of all the complications of the real world),
intellectually fascinating, AND practically useful in many (not all)
cases, since many real systems can be usefully modeled as "perfect" ones
with "perturbations" (second-order effects) considered separately.

If Galileo had tried to START physics by studying real-world systems in
all of their complexity, we'd still be at square zero; fortunately, he
was able to identify systems "close enough to perfect" (e.g., heavy
weights faling to the ground, compact enough to ignore air resistance,
etc) to get the ball rolling. Physics still faces a lot of challenges
after many centuries in areas where the "perturbations" are much
stronger than "second-order" -- I'm told our physical modeling of cloud
systems or such everyday phenomena as welding is still way from perfect,
for example (forget quantum and relativistic effects... I'm talking of
everyday observations!-), and of course so does the much younger
discipline of mathematical economics. Nevertheless the study of the
"perturbations" is well under way, with Nobel memorial prizes having
already been awarded in such fields as "bounded rationality" and
asymmetric-information markets.

Just like a gunner in the mid-19th century had to know fundamental
physics pretty well, but also developed experience-based heuristics to
compensate for all of the "perturbations" in his system, so the
practicing economic actor today needs a mix of science and art (in the
original meaning of "art", of course).

You seem to tackle the problem of python obfuscation by first proving
that it isn't feasible and then giving some kind of solution that will
work and give the desired result: webservices. However when I look at

That seems to me to be a practicable technical approach, yes.

obfuscation techniques I see a desire to profit from giving some person
the idea that he or she is superior to someone else because he has a
better product. In order to avoid copying we now need obfuscation. The

You're discussing the *motivation* for obfuscating, while what I was
giving was a possible way of *implementing* similar effects.

difficulty to copy the thing (whether it is a swiss watch, a sportscar,
designer clothes, the latest computer game, an ipod, a computer
program) is part of the advertising game and is the basis for
associating it with a certain status. If you look for a few minutes at

Yes, this is close to the theory of luxury goods (which is WAY
underdeveloped, by the way: if you're a post-doctoral student in
economics and are wondering where best to direct your research in order
to stand a chance to gain a Nobel memorial prize some day, you could do
worse than turn your efforts to this field). The maths are complicated,
in the theory of luxury goods, because utility is RELATIVE: buyer's
advantage cannot be computed, even theoretically, from knowing just the
buyer's utility curve and the amount of good supplied to that buyer,
because the curve depends on the *relative* amounts supplied to that
buyer versus other buyers.

Throw asymmetric information into the mix, and, besides a mathematically
unmanageable mess, you get the famous anomaly whereby an INCREASE i the
price may locally result in an INCREASE in demand (backwards-sloping
price-demand curve) -- each buyer, lacking information about other
buyers, infers it from price signals, and *assumes* (as is normally the
case) that higher price means fewer buyers; since fewer buyers means a
higher relative advantage, this assumption increases each buyer's
appetite and thus, in the aggregate, raises demand.

While this is fascinating as an open research topic, AND crucial to
economic survival for purveyors of luxury good, I dispute the wisdom of
trying to model MOST markets of interest as subject to the fascinating
complications of "luxury goods theory".

Take, again, the specific example of the sawmill with NC saws, doing
custom work by cutting customer-specified shapes out of standard planks
of wood. If things can be optimized, so that six such shapes can be cut
out of each plant rather than the five which would result from a simple
layout of the shapes, the mill can meet an order for 3000 shapes by
consuming 500 planks of wood, rather than taking up 600 planks. There
is no need at all for any of the complications of luxury-goods theory to
understand and model this: the developer of the superior heuristic has
created "objective" value, under the simple and natural assumptions that
wood costs money and wasting less wood for the same output is therefore
an indisputable savings.

NOW you may get into the issue of how that value is split between
supplier (of the heuristic) and buyer (the sawmill), under various
possible arrangements. Market segmentation may well enter the picture
here, because there may be different orders of widely different sizes --
maybe 3000 shapes is a typical order, but there may be some for 300
shapes and some for as many as 30,000; if the supplier charges the same
price for usage of his heuristic for any size of order, either the
heuristic will not get used for the smaller orders (making the overall
"pie" of value to share smaller), or the buyer will capture close to all
the value for larger orders ("buyer's advantage" situation). So, it is
definitely to the supplier's advantage, and it can be shown that
situation exists in which it's of MUTUAL advantage, if different prices
can be used for the same (good of) service when used in different
situations (size of orders), which is exactly what market segmentation
is all about.

a TV screen and notice what the commercials are trying to tell you, you
will see that it's almost always that you will be better, stronger,
more popular or beautyfull etc. if only you use product X.

Whether such ads WORK, of course, is an entirely open question; targeted
ads, which get paid for only when they DO work, appear to be the
direction advertising is taking these days.

Anyway, ads are practically _irrelevant_ to all we were talking about so
far, except in as much as they may help in asymmetric information
markets, which is a separate (and infinitely fascinating) sector of
economic theory. It seems to me that you're mixing in all sort of
somewhat anecdotal observations, without a sound basis in either
economical theory or deep practical experience, just as when you were
taking your opinions about government departments as somehow related to
the working of markets (?).

If Galilei had started dispersing his energies and attention by worrying
about the COLORS in which the balls he was dropping to the ground were
painted, rather than focusing on RELEVANT issues such as size and mass,
he'd hardly have made much progress on the issue, would he?-)

You are perfectly right if you would say that it is an illogical
strategy to make people feel better relative to other people in order
to get them to do something you want. Commercial entities could in

I'm not saying that: if I had to sell luxury goods, I would definitely
pursue such a strategy. However, there are plenty of goods and services
which do NOT particularly need the complications of luxury-goods theory.

principle be free of such things but we live in a world that is
dominated by this worldview and if one tries to sell something one has
to take that into account.

If you're selling luxury goods, sure, you can't afford to ignore related
issues. But for most goods and services, particularly in the "business
to business" sector, the approach (which DOES get tried, as you can see
by some ads in magazines such as the Economist, Business Week, Forbes,
and so on) is IMHO quite silly (and a good example of that 50% of money
spent on advertising that is proverbially wasted).

So how to get the same kind of market segmentation (as you call it)
when you deploy your program as a webservice and where essentially the
cost for you (moving a few electrons to produce a solution to a
problem) is exactly the same whether you give the user a good or a bad
result. If you give optimal results to everyone, users will go to other
sites just because these sites give them opportunity to feel better
than other people, not because this is objectively better, but just
because that is how they think the world "works".

I believe that you are quite wrong: if your results are in fact better
than other sites', users will come get your results. Markets are
imperfect, rationality is bounded, etc, etc, but users in general are
not total morons, to deliberately go and get worse results "to feel
better than other people". For example...:

I was reading recently that Google's market share of web searches has
grown from 47% to 57%, comparing September 2004 with Sep 2005, for
example. If your theory had ANY validity whatsoever, this should be
impossible, since Google does give the best results it can to any comer;
therefore, it would follow from your theory, another site could steal
our traffic by serving artificially-degraded results to the non-paying
public, and true search results only to subscriber, or something. The
world just does not work this way -- thanks be.

Similarly: until recently, Opera "degraded" the user experience of
non-fee-paying users (by devoting a portion of its window to showing
banner ads) and required user to pay a fee (so, according to your
theory, "felling better than other people") to get a pure, undegraded
browsing experience. Firefox came along and "gave optimal results to
everyone" instead. Result: Firefox ate Opera's lunch, forcing Opera to
change its business model drastically. These events, once again, are
totally incompatible with the theory you advance in this paragraph.

I doubt you will be able to do a good job of comprehending, much less
_explaining_, market segmentation strategies and tactics, unless you
take the trouble to shed the ideological baggage, and stop trying to
force a vision of the huge system that's the complex of markets in this
world through the narrow slit of that small subset of those which are
"luxury-good markets". I don't deny that luxury goods exist (that would
be just as silly as your attempt to claim that ALL goods and services
fall under the complexity of luxury-good market theory!): I specifically
claim that luxury-goods situations are a small subset of markets (they
may be very visible, and can command large profit margins to offset
their small volumes and large advertising costs, but they're still
NICHES compared to "where the action is", namely ALL OTHER markets put
together).

Alternatively, lets just forget about obfuscation and try to get
people to freely share by promoting open source (and open webservices).

I tend to a more pragmatic stance, just like Eric Raymond: although open
source is going to prove preferable in _most_ cases, there _will_ be
other cases (like the NC saw example, where ESR himself was the
consultant who advised the inventors to keep their new heuristic a
secret) where the overall production of value in the world (quite apart
from who's going to capture what fraction of that value) will increase
if certain kinds of innovations can be exploited by their inventor.

Since redistribution of value, as long as a lot of value is created, can
be dealt with by other means, maximizing the creation of value tends to
be the goal I prefer -- a policy that quashes part or all of value
creation based on redistributive precepts is, by this very fact, going
to be something I look askance at (making the pie smaller to try to
ensure that what little is left gets sliced according to your political
preferences, rather than ensuring the pie is as big as possible as the
first order of business, and dealing with the slicing issues as
_secondary_ ones).


Alex

 

[Anton Vredegoor]

I wish I hadn't done that But seriously, I'm having trouble
answering in detail all of your points (which doesn't mean I don't
value them highly) because my online time is limited by the time period
this library is open, and I also want to scavange as much offline
reading material as possible while I'm connected.

What makes you think that governmental departments are part of the
*market*?! Government behavior is controlled by laws that are vastly
different from those controlling market behavior; if you're interested,
you could study the "theory of public choice".

I don't think so, so the question can't be answered. It's the same
logic that enabled me to say "payed webservices can only work well if"
when in context of replacing obfuscation techniques. From 1+1 == 3 I
can derive anything. I know its lame, but my time limitation forces me
to go back (or up) one level in order to refute you.

That seems to me to be a practicable technical approach, yes.


You're discussing the *motivation* for obfuscating, while what I was
giving was a possible way of *implementing* similar effects.

Yes, that's the point. If you can produce at zero cost then the whole
economic theory falters. You enter another continuum where traditional
economic values become meaningless. From obfuscation to webservices is
a big step in that direction.

Since redistribution of value, as long as a lot of value is created, can
be dealt with by other means, maximizing the creation of value tends to
be the goal I prefer -- a policy that quashes part or all of value
creation based on redistributive precepts is, by this very fact, going
to be something I look askance at (making the pie smaller to try to
ensure that what little is left gets sliced according to your political
preferences, rather than ensuring the pie is as big as possible as the
first order of business, and dealing with the slicing issues as
_secondary_ ones).

I agree with your sentiment, but in order to maximize value creation we
should leave material payments out of the equation when they only slow
things down. From your writing I gather you already live in those
quarters but you are still using materialistic concepts to describe the
world. I don't blame you for it because I wouldn't know myself what
would be applicable to a zero cost - maximal gain economy.

Anton

 

[Peter Maas]

Once you got the model of free and open source software you can't but shake
your head at obfuscating people treating their users as enemies.

Sorry but this is naive nonsense. Open source is a good model but
it can't be applied everywhere. Look at the following example:

There is a company who is developing and marketing a single application.
It is a simulation software for industrial processes which embodies an
enormous amount of knowledge accumulated by the hard work of many
individuals since about twenty years, algorithmic, process, implementation,
market knowlegde. This application is of great value to the customers
because it helps them save lots of money and improve the quality of their
products. No wonder that they have (and are willing) to pay a considerable
price for it.

If the company would decide to go open source it would be dead very soon
because it wouldn't no longer have a competitive advantage. Most customers
wouldn't see the necessity to pay high prices, the competition would use
the source code in their own products, the earnings would fall rapidly and
there wouldn't be enough money availabe to pay highly skilled developpers,
engineers and scientists for continued development.

In certain sense suppliers and customers ARE enemies because they have
different interests. The customer will pay a price only if it is neccessary
to get the product. If he can get it legally for nothing he won't pay anything
or at least not enough.

So please: continue praising OSS (as I do) but don't make ideological claims
that it fits everywhere.

Peter Maas, Aachen

 

[Chris Mellon]

Sorry but this is naive nonsense. Open source is a good model but
it can't be applied everywhere. Look at the following example:

There is a company who is developing and marketing a single application.
It is a simulation software for industrial processes which embodies an
enormous amount of knowledge accumulated by the hard work of many
individuals since about twenty years, algorithmic, process, implementation,
market knowlegde. This application is of great value to the customers
because it helps them save lots of money and improve the quality of their
products. No wonder that they have (and are willing) to pay a considerable
price for it.

You just described UNIX, which has been all but replaced by open
source projects, and the general state of the operating system market
a few decades ago.

If the company would decide to go open source it would be dead very soon
because it wouldn't no longer have a competitive advantage. Most customers
wouldn't see the necessity to pay high prices, the competition would use
the source code in their own products, the earnings would fall rapidly and
there wouldn't be enough money availabe to pay highly skilled developpers,
engineers and scientists for continued development.

In certain sense suppliers and customers ARE enemies because they have
different interests. The customer will pay a price only if it is neccessary
to get the product. If he can get it legally for nothing he won't pay anything
or at least not enough.

So please: continue praising OSS (as I do) but don't make ideological claims
that it fits everywhere.

You're looking at the wrong things here. What you're describing is
actually a potentially very successfull open source project - many
companies, single source, highly technical, high price. An open source
project could easily succeed in this area. Of course, it would not be
in the interest of the current monopoly supplier to open source thier
product. But a third party that started such a project could quite
possibly succeed. Not that it neccesarily would, knowing what I know
about business - hell, I can't even get approval to use Eclipse on a
couple desktops.

 

[Peter Maas]

You just described UNIX, which has been all but replaced by open
source projects, and the general state of the operating system market
a few decades ago.

No, I didn't describe UNIX. UNIX and OSs in general are software which is
needed by everybody who is using a computer. You have many developers all
over the world willing to contribute. But the software I mentioned is a
highly specialized field with a (compared to OS users) a tiny number of
customers and a degree of complexity at least the same as an OS. So I
think that an OSS model wouldn't work here. Also using UNIX as an example
is qustionable here because of its special history. UNIX was to a large
extent developed in academic environments and later closed sourced by AT&T
at a time when much OS specific knowledge was available in universities.

You're looking at the wrong things here. What you're describing is
actually a potentially very successfull open source project

Successful for whom?

> - many
companies, single source, highly technical, high price. An open source
project could easily succeed in this area. Of course, it would not be
in the interest of the current monopoly supplier to open source thier
product.

The supplier doesn't have a monopoly. He has competition but the supplier
started first, has always been the pacemaker and has therefore an advance.
His revenues are based on this advance. If somebody would suggest him to
go open source - what would be the advantage for him? Doing business is a
game, games are about winning and it isn't realistic to tell a player
to commit suicide.

But a third party that started such a project could quite
possibly succeed.

There are several 3rd parties all with closed source If an OSS 3rd
party would enter the game it would have to answer the question how
to fund the development. To succeed the OSS player would have to catch
up to its closed source competitors. This is anything but easy - there
is a lot of knowlegde (a crucial part of it not available for the
public) to be worked out. The developers have to earn money, who pays
them?

I think a lot of people believe OSS isn't about money. This is wrong.
Either OSS developers are working in their spare time for their own
pleasure. This puts some limits on their projects. Or they are working
all the day on OSS projects. Then they have to be paid, e.g. by academic
institutions (tax payer) or by companies like IBM and Novell who are
funding OSS because they have appropriate business models. There's
nothing wrong about this. But to pretend that OSS miraculously solves
the money problem for consumers _and_ producers is wrong IMO.

There are conditions for OSS for to succeed. It is worthwile to get to
know these conditions. To claim that there are no conditions at all and
OSS is successful by itself is certainly not true.

Peter Maas, Aachen