Selling Python Software

[Will Stuyvesant]

Suppose I want to sell a (small, 1000 lines) Python program. It is a
commandline program for database applications and I have a customer.
The customer wants to "try it out" before buying. The try-out version
should be a full, complete, version.

As much as I like the opensource movement, I have a problem now. If I
just give them the Python source code then they can show it to their
programmers and they have no reason anymore to pay money to me. Sure
that would break our agreements, but you know bussiness, legal issues.
The thing the customer is interested in is the algorithm used in the
program. Not much I could do about such a scenario effectively.

I tried py2exe before, but someone told me it is always possible to
decompile...revealing the source code.

Anybody has a solution to this, besides more legal paperwork (I am in
europe...forget about claiming your rights here)? Is it not possible
to give away a Windows .exe file that can not be decompiled (or only
with *extreme* difficulty)?

 

[Erik Max Francis]

I tried py2exe before, but someone told me it is always possible to
decompile...revealing the source code.

It's always possible to decompile programs compiled to machine code, as
well, you know. Ultimately, every software developer must defend
himself with licenses and legal means, not technical ones.

 

[Alex Martelli]

It's always possible to decompile programs compiled to machine code, as
well, you know. Ultimately, every software developer must defend
himself with licenses and legal means, not technical ones.

....unless said SW developer keeps the extremely precious parts of his
SW safely on a network server under his control (yes, it IS possible
to technically secure that -- start with an OpenBSD install... and
only distributes the run-of-the-mill "client-oid" parts he doesn't
particularly mind about. The server-side SW can supply the precious
parts of the overall program's functionality to the client-side SW
via secure webservices or proprietary protocols; this also allows you
to enforce different business models (subscription, pay-per-use, ...)
more easily than distributing things does.

Very little software is WORTH protecting so closely, but for that
1 in 1000, or whatever, this option IS, IMHO, worth considering.


Alex

 

[Alex Martelli]

Suppose I want to sell a (small, 1000 lines) Python program. It is a
commandline program for database applications and I have a customer.
The customer wants to "try it out" before buying. The try-out version
should be a full, complete, version.

As much as I like the opensource movement, I have a problem now. If I
just give them the Python source code then they can show it to their
programmers and they have no reason anymore to pay money to me. Sure
that would break our agreements, but you know bussiness, legal issues.
The thing the customer is interested in is the algorithm used in the
program. Not much I could do about such a scenario effectively.

I tried py2exe before, but someone told me it is always possible to
decompile...revealing the source code.

Yes, exactly as could be done if you coded your precious algorithm
in C, machine-language, or whatever: if you distribute executable
code it CAN be cracked and the algorithm reverse-engineered (see any
warez site: game companies go to HUGE length to defend their programs
and they STILL get cracked anyway).

Anybody has a solution to this, besides more legal paperwork (I am in
europe...forget about claiming your rights here)? Is it not possible
to give away a Windows .exe file that can not be decompiled (or only
with *extreme* difficulty)?

"Can not be decompiled" is impossible whatever language you're using.

"*extreme* difficulty" is in the eye of the beholder. You can e.g.
add layers of encryption/decription to the bytecode, etc, but whatever
you do somebody else can undo. Depending on the relative skills of
you and the "somebody else" the ratio (your effort to keep things
secret, to theirs to uncover them) can be any.

Couldn't you keep some crucial part of your precious algorithm OFF
the code you distribute, and have said code access said part via
webservices towards your personally-controlled, secure host?


Alex

 

[Radovan Garabik]

Suppose I want to sell a (small, 1000 lines) Python program. It is a
commandline program for database applications and I have a customer.
The customer wants to "try it out" before buying. The try-out version
should be a full, complete, version.

As much as I like the opensource movement, I have a problem now. If I
just give them the Python source code then they can show it to their
programmers and they have no reason anymore to pay money to me. Sure
that would break our agreements, but you know bussiness, legal issues.
The thing the customer is interested in is the algorithm used in the
program. Not much I could do about such a scenario effectively.

I tried py2exe before, but someone told me it is always possible to
decompile...revealing the source code.

Anybody has a solution to this, besides more legal paperwork (I am in
europe...forget about claiming your rights here)? Is it not possible
to give away a Windows .exe file that can not be decompiled (or only
with *extreme* difficulty)?

use upx to pack it. Of course, it is always possible to unpack
the executable, but if an effort to do so is bigger that money they would
pay you, it would not be in their interest. Or enter into google
"encrypt executable" and it will give you a plethora of links.

--
-----------------------------------------------------------
| Radovan Garabík http://melkor.dnp.fmph.uniba.sk/~garabik/ |
| __..--^^^--..__ garabik @ kassiopeia.juls.savba.sk |
-----------------------------------------------------------
Antivirus alert: file .signature infected by signature virus.
Hi! I'm a signature virus! Copy me into your signature file to help me spread!

 

[John J. Lee]

"Can not be decompiled" is impossible whatever language you're using.

"*extreme* difficulty" is in the eye of the beholder. You can e.g.
add layers of encryption/decription to the bytecode, etc, but whatever
you do somebody else can undo. Depending on the relative skills of
you and the "somebody else" the ratio (your effort to keep things
secret, to theirs to uncover them) can be any.

[...]

Whie this is all true, you seem to put undue emphasis on the fact that
it's always *possible* to decompile stuff. Isn't the point you make
in your last sentence actually crucial here? The game is to make your
opponent (customer ;-) incur more expense in decompiling it than it
would cost to just go ahead and pay you, is it not? And yeah, you
also have to take into account how much it costs you to come up with
the protection scheme, of course.

So, is there a good practical solution of that form, for Python code
of this sort of size (or any other size)? I suspect the answer for
standard Python may be no, while the answer for optimising compilers
may be yes -- but that's just a guess.


John

 

[Peter Hansen]

Suppose I want to sell a (small, 1000 lines) Python program. It is a
commandline program for database applications and I have a customer.
The customer wants to "try it out" before buying. The try-out version
should be a full, complete, version.

As much as I like the opensource movement, I have a problem now. If I
just give them the Python source code then they can show it to their
programmers and they have no reason anymore to pay money to me. Sure
that would break our agreements, but you know bussiness, legal issues.
The thing the customer is interested in is the algorithm used in the
program. Not much I could do about such a scenario effectively.

I tried py2exe before, but someone told me it is always possible to
decompile...revealing the source code.

Anybody has a solution to this, besides more legal paperwork (I am in
europe...forget about claiming your rights here)? Is it not possible
to give away a Windows .exe file that can not be decompiled (or only
with *extreme* difficulty)?

I've read the other answers here, which pretty much just repeat past
discussions, but I think the various respondents have to some extent
not paid close attention to your *specific* needs here.

Alex is pretty close to the mark, but there's no need to be as extreme
as his "start with OpenBSD install" response to Erik Max Francis, as
you definitely don't need the high security of this approach.

Nevertheless, the server-based-code approach is definitely the only
one that is worth the effort here, considering that the effort is
practically nil (or should be, as if you're really trying to sell
commercial software, having access to an Internet server should be
a pretty trivial thing). You could use Pyro to make the fact that
part of the system is running on a server practically transparent
both to the potential customer and to you. Moving the server-based
code into the real application once they've paid you would be a
tiny last step.

"Only decompiled with *extreme* difficulty?" There is no such approach
within your means, I'm afraid, and there are any number of stories
from the real world which ipso facto prove it. There *are* hardware-key
based solutions, but I can tell you from personal experience that
they will really not stop a determined attacker and in any case they
will cost more to implement than the potential income from your
1000-line Python program.

On another note, having been in the consulting business myself for
years (before my current job) I would give you this advice. Don't
underestimate the value of a trusting business relationship, nor
the value of a decent written contract. If you are right that this
customer would cheat you at the earliest opportunity, you are
likely going to find yourself cheated in some manner no matter
what you do. Without adequate attention to written agreements and
a good mutual understanding, you could just as well find yourself
in the position of having delivered the final, unprotected version
to them and still not get paid because "it doesn't meet the
requirements you promised to implement" or something like that.

A decent license *should* be adequate for just about any customer
with whom you ought to be doing business. IMHO.

-Peter

 

[Alex Martelli]

"Can not be decompiled" is impossible whatever language you're using.

"*extreme* difficulty" is in the eye of the beholder. You can e.g.
add layers of encryption/decription to the bytecode, etc, but whatever
you do somebody else can undo. Depending on the relative skills of
you and the "somebody else" the ratio (your effort to keep things
secret, to theirs to uncover them) can be any.

[...]

Whie this is all true, you seem to put undue emphasis on the fact that
it's always *possible* to decompile stuff. Isn't the point you make
in your last sentence actually crucial here? The game is to make your

Of course it's crucial. But so what?

opponent (customer ;-) incur more expense in decompiling it than it
would cost to just go ahead and pay you, is it not? And yeah, you
also have to take into account how much it costs you to come up with
the protection scheme, of course.

Of course. It can be framed as a zero-sum game of incomplete
information on both sides. You don't really know that anybody
will ever try to steal your code -- any eurocent you invest in
protecting it might be a complete waste, if nobody ever even
dreams of so trying. At the other extreme, whoever tries to do
the stealing might be technically good and well informed, as well
as dishonest, so that in 5 minutes they destroy 5 days' worth of
work by you on "protection". In both cases, investing in such
protection is throwing money away from your POV. The hypothetical
adversary, for his part, may not know and be unable to gauge the
effort needed to crack and steal your code -- if he's not well
informed nor competent, he might just be flailing around for 10
days and stop just before the 11th day's effort WOULD deliver the
illegal goods he's after.

Of course, guess what IS the effect on this game's payoff matrix
of discussing technical possibilities in a public forum. "I give
you three guesses, but the first two don't count"....

So, is there a good practical solution of that form, for Python code
of this sort of size (or any other size)? I suspect the answer for
standard Python may be no, while the answer for optimising compilers
may be yes -- but that's just a guess.

The answer is no for either case. I've spent too high a proportion of
my life (at my previous employer) putting "protection systems" in
place (including optimising compilers, weird machine-code tricks,
even in one case some microcode hacks), and it was the worst waste of
my time anybody could possibly devise.

Part of the problem is, that the "warezdoodz culture" is stacked
against you. If you DO come up with a novel approach, that is a
challenge to guys who SPEND THEIR LIFE doing essentially nothing
but cracking software-protection schemes *for fun*. Even if it's
taken you 10 hours and it makes them spend 20 hours, they _do not
account this as a cost_, any more than a crossword enthusiast sees
as "a cost" the hours he spends cracking a particularly devious
crossword -- indeed, once said enthusiast is good enough, unless
the puzzle it's hard it's no fun. But don't think that therefore
using an obviously weak scheme is a counter: just below the top
crackerz there are layers and layers of progressively less capable
ones desperate to put notches in their belt.

To me, playing such zero-sum games is a net loss and waste of time
because with the same investment of my time and energy I could
be playing games with sum _greater_ than zero, as is normally the
case for technical development not connected to security issues
(i.e., where the only "net benefit" of the development doesn't
boil down to frustrating somebody else's attempts at cracking and
stealing) and even for much security-related work (e.g., most of
OpenBSD's developments help against plain old BUGS and crashes just
as much as they help against wilfull attacks against you).

There exist technical solutions that DO make it impossible for
anybody to crack your precious algorithms: just make those precious
algorithms available only from a network server under your total
control, NEVER giving out executable code for them. (You can then
work on securing the network server, etc, but these ARE problems
that are technically susceptible to good solutions). If anybody
refuses this solution (surely a costly one on some parameters) it
probably means their algorithms aren't worth all that much after
all (there may be connectivity, latency or bandwidth problems in
some cases, of course, but with the spread of network technologies
these are progressively less likely to apply as time goes by). If
the algorithms aren't worth all that much, they're not worth me
spending my time in zero-sum games to protect them -- lawyers are
probably more emotionally attuned than engineers to playing zero-
sum games, since so much of legal practice vs so little engineering
practice is like that, so that may be a back-up possibility.

It's not about programming languages at all. In the end, "clever"
schemes that are presumed to let people run code on machines under
their control yet never be able to "read" the code must rely on
machinecode tricks of some sort, anyway, since obviously, from a
technical viewpoint, if the code must be executable, it must be
*read* on the way to the execution engine -- if it's encrypted it
must exist in decrypted form at some point (and it can then be
captured and examined at that point), etc. Some of the code that
I was supposed to "protect" for my previous employer was in C,
Fortran, C++, and other high-level languages; some was in
machine code; other yet was in intermediate-code generated by a
proprietary scripting language; ... in the end it made no real
difference one way or another.


Alex

 

[Lulu of the Lotus-Eaters]

(e-mail address removed) (Will Stuyvesant) wrote previously:
|Is it not possible to give away a Windows .exe file that can not be
|decompiled (or only with *extreme* difficulty)?

NO! It is NOT possible.

It is not possible in Python. It is not possible in VB. It is not
possible in C#. It is not possible in C. It is not possible in
Fortran. It is, in fact, not possible in Assembly.

However, distributing a .pyc or an .exe make it require a little bit of
effort to find the underlying code... enough that someone needs to make
a conscious decision to do so, rather than "accidentally" open the .py
file in Notepad.

Yours, Lulu...

 

[Erik Max Francis]

Whie this is all true, you seem to put undue emphasis on the fact that
it's always *possible* to decompile stuff. Isn't the point you make
in your last sentence actually crucial here? The game is to make your
opponent (customer ;-) incur more expense in decompiling it than it
would cost to just go ahead and pay you, is it not? And yeah, you
also have to take into account how much it costs you to come up with
the protection scheme, of course.

The problem here is that it is almost certain that the efforts of
dedicated crackers will be far greater than anything you can come up
with. If someone really wants to crack your program, they will be able
to do so, and there's not much you can do to stop them. Furthermore, in
some senses the monetary analogy, though useful, is flawed. There are
plenty of crackers who simply _will not pay you_ no matter what happens,
even if they fail to compromise your copy protection scheme. And, if
they fail, they may pass it on to friends who are more experience than
they are, and the fruits of that labor will be shared among the cracker
community.

In essence the battle isn't one against many -- you vs. an individual
cracker -- it's one against many -- you vs. an entire community of
crackers -- and you're hopelessly outnumbered. Any amount of effort
you're willing to spend to come up with a sophisticated copy protection
scheme can be easily matched by a group of crackers if they so desire.
Of course this brings up issues of how widely distributed and appealing
your application is, but the bottom line here is that this is a battle
you cannot win -- you simply hope you to avoid the fight in the first
place.

Most copy protection schemes these days, such as they are, are intended
to discourage casual violations. Things like requiring a serial number
or the right CD in the drive are usually considered fairly good common
ground solutions, because they're well-known territory and the average
customer won't be put off too much by them.

 

[Peter Hansen]

Most copy protection schemes these days, such as they are, are intended
to discourage casual violations. Things like requiring a serial number
or the right CD in the drive are usually considered fairly good common
ground solutions, because they're well-known territory and the average
customer won't be put off too much by them.

And, sadly, there is a large number of "average customers" who seem
to be aware of Warez sites and know enough to download and install the
broken versions of software.

The number of people I know with "free" versions of XP is somewhat
shocking.

I think Quicken is one of the few programs I've seen lately which seems
to remain somewhat intact. (I'm quite sure I'll hear otherwise now, but
so far I haven't seen rampant copying.) The basic technique used there
is online registration, which I assume decrypts and/or enables certain
critical portions of the code after server verification of credentials,
and prevents repeat registrations using the same CD. Maybe that's a
good new baseline for such protection.

-Peter

 

[John J. Lee]

Part of the problem is, that the "warezdoodz culture" is stacked
against you. If you DO come up with a novel approach, that is a

[...]

Ah, stop right there (oops, too late!-). I think we're somewhat at
cross-purposes. I was talking about protecting something more at the
level of source code than running programs.

I mostly agree with you on the issue of protecting "binaries", but:

Part of the problem is, that the "warezdoodz culture" is stacked
against you. If you DO come up with a novel approach, that is a

[...]

Though information is indeed always incomplete, it seems a good bet
that war3zd00dz are not an issue for a consultant being hired by a
company to write a 1000 line program. Do you disagree?

Anyway, back to source vs. binaries. Obviously, code that's closer to
the "source" end of the spectrum has additional value. I'd got the
impression that something rather similar to the original source could
be recovered from Python byte-code, due to its high-level nature
(albeit obviously missing a lot of stuff -- including all those
valuable names). Certainly that's impossible with optimising
compilers (I should have stated this much more strongly in my last
message, of course -- there's no "may" or "guessing" involved there,
unlike the Python case, where I don't know the answer).

It's not about programming languages at all. In the end, "clever"
schemes that are presumed to let people run code on machines under
their control yet never be able to "read" the code must rely on
machinecode tricks of some sort, anyway, since obviously, from a

[...]

Until MS get their grubby hands on our CPUs, anyway :-(


John

 

[John J. Lee]

"John J. Lee" wrote: [...]
The problem here is that it is almost certain that the efforts of
dedicated crackers will be far greater than anything you can come up
with. If someone really wants to crack your program, they will be able
to do so, and there's not much you can do to stop them. Furthermore, in
some senses the monetary analogy, though useful, is flawed. There are

[...]

Oh, absolutely, but we're not (weren't, anyway) talking about a
consumer app here, but a 1000 line Python program written by a
consultant for a company. Companies are not "warez doodz", and tend
to be driven by money. The source (or something closely related to
it, like a decompiled Python program) may be significantly more
valuable to them than the executable.


John

 

[Ron Adam]

Suppose I want to sell a (small, 1000 lines) Python program. It is a
commandline program for database applications and I have a customer.
The customer wants to "try it out" before buying. The try-out version
should be a full, complete, version.

As much as I like the opensource movement, I have a problem now. If I
just give them the Python source code then they can show it to their
programmers and they have no reason anymore to pay money to me. Sure
that would break our agreements, but you know bussiness, legal issues.
The thing the customer is interested in is the algorithm used in the
program. Not much I could do about such a scenario effectively.

I tried py2exe before, but someone told me it is always possible to
decompile...revealing the source code.

Anybody has a solution to this, besides more legal paperwork (I am in
europe...forget about claiming your rights here)? Is it not possible
to give away a Windows .exe file that can not be decompiled (or only
with *extreme* difficulty)?

It looks to me like you just want a guarantee that you will be paid
for your work. I don't think that is too much to ask from a company
that will use it to increase productivity.

Incrypting it or not won't make any difference in this case since the
demo version will be fully functional. They can still make a copy of
it and use it anyway without telling you.

You need to secure the demo process not the demo itself. Making a web
page and inserting your code in it as a cgi script would be the best
way to do that. Alex's point of view I think. It can also serve as
an advertizement if you want to sell it to others.

Another is if they are physically close to you, is to do the
demonstrationt in person on a laptop that you can take with you when
you leave. The program is never run on their computers.

A third is to offer a demo animation. A slide shows example input and
output but doesn't actually contain your program.

All of these might be worth while if you intend to sell your program
to others.

If this is a one time deal, then probably the simplest way, is to
have them give you some sample data, and you send them back the
output. If they like what they see, then they buy it. And since the
source is included, they can change it if it's not quite what they
want. That could be a selling point.

You will still need some sort of non-resell/distribution agreement,
put that on the sales invoice and in the code.

Does this help?

_Ron

 

[John J. Lee]

Erik Max Francis wrote: [...]
I think Quicken is one of the few programs I've seen lately which seems
to remain somewhat intact. (I'm quite sure I'll hear otherwise now, but
so far I haven't seen rampant copying.) The basic technique used there
is online registration, which I assume decrypts and/or enables certain
critical portions of the code after server verification of credentials,
and prevents repeat registrations using the same CD. Maybe that's a
good new baseline for such protection.

In the end, that's just as vulnerable to hacking as anything else to a
determined binary-attacker (which as you point out, do exist for
consumer apps).


John

 

[Erik Max Francis]

Though information is indeed always incomplete, it seems a good bet
that war3zd00dz are not an issue for a consultant being hired by a
company to write a 1000 line program. Do you disagree?

Yeah, but at the same time, if he's dealing in good faith with a company
that he thinks is reputable enough to be talking to in the first place,
what is the likelihood they're going to rip off his work at all?

 

[Erik Max Francis]

Oh, absolutely, but we're not (weren't, anyway) talking about a
consumer app here, but a 1000 line Python program written by a
consultant for a company.

If he wrote the software for the company under the agreement that they'd
buy it if they liked it, what's the likelihood that this is a concern at
all? I would hope that if he had a real concern that this was a likely
outcome -- that they'd talk to him, wait for him to deliver a product,
and then refuse to pay him -- that he wouldn't be dealing with them at
all anyway.

 

[Bengt Richter]

It's not about programming languages at all. In the end, "clever"
schemes that are presumed to let people run code on machines under
their control yet never be able to "read" the code must rely on
machinecode tricks of some sort, anyway, since obviously, from a
technical viewpoint, if the code must be executable, it must be
*read* on the way to the execution engine -- if it's encrypted it
must exist in decrypted form at some point (and it can then be
captured and examined at that point), etc. Some of the code that

(or maybe it can't, for practical purposes, see below)

I was supposed to "protect" for my previous employer was in C,
Fortran, C++, and other high-level languages; some was in
machine code; other yet was in intermediate-code generated by a
proprietary scripting language; ... in the end it made no real
difference one way or another.

OTOH, we are getting to the point where rather big functionality can be put
on a chip or tamper-proof-by-anyone-but-a-TLA-group module. I.e., visualize
the effect of CPUs' having secret-to-everyone private keys, along with public keys,
and built so they can accept your precious program code wrapped in a PGP encrypted
message that you have encrypted with its public key. The computer owner can
say run it or not, but other than i/o nothing can be observed, because decryption
happens in cache memory that you can't reach the address/data busses of, and execution
likewise passes no instructions or temporary data through any tappable wire. A separate
execution unit commpunicates via a restricted protocol to a normal CPU unit that has
normal OS stuff running and can do the rest, but can't reach into that private space.

This is not so magic. You could design a PC with a locked enclosure and special BIOS
to simulate this, except that that wouldn't be so hard to break into. But the principle
is there. Taking the idea to SOC silicon is a matter of engineering, not an idea break-through
(though someone will probably try to patent on-chip stuff as if it were essentially different
and not obvious ;-/)

I think this will come. It can be a good thing _if used right_, but that's a big if. I just hope
it won't be used to make artificial obstacles to interoperability of free vs proprietary. And doing
it between proprietary stuff just raises the prices for what can't compete on merit.
I have a hunch FSF/EFF lawyers should be preparing to lobby against laws that will permit such
market manipulations, if they aren't already. Or maybe get law enacted mandating free interoperability.

Maybe I'm just a worrywart ;-)

Regards,
Bengt Richter

 

[Lulu of the Lotus-Eaters]

(e-mail address removed) (John J. Lee) wrote previously:
|consumer app here, but a 1000 line Python program written by a
|consultant for a company. Companies are not "warez doodz", and tend
|to be driven by money. The source (or something closely related to
|it, like a decompiled Python program) may be significantly more
|valuable to them than the executable.

To my mind, distributing a .pyc to clients is plenty of protection. I
admit that if you send the .py script itself, it's fairly easy for them
to "accidentally" copy it or alter it in a way your contract doesn't
allow. Basically completely effortless, which makes cheating perhaps a
tad too tempting.

But decomiling a .pyc takes some work. Not a LOT of work mind you. But
enough that a boss has to ASSIGN a programmer the job of creating the
decompiled version. In other words, a client who will decompile a .pyc
has some actual malice in their intent to violate your license (assuming
that's what the license says). The lack of ambiguity gets you precisely
to the point where contracts and laws are the right framework for
protecting copyright.

Yours, Lulu...

 

[Marijan Tadin]

Well, I am by no means Python or programming expert, but I've been
reading posts to the same topic before.
I wonder why nobody mentioned Pyrex in this context:

http://www.cosc.canterbury.ac.nz/~greg/python/Pyrex/

As far as I've understood, in Pyrex module you can mix Python and
C-code, and Pyrex will translate this module in C-code (Python extension
module), and then all you have to do is compile this C-sorce file
(automaticaly created by Pyrex). You can also write pure Python code in
your Pyrex module, and Pyrex will translate this into a C-code. Then you
can use py2exe with this compiled extensions (otherwise generated *.exe
file is actually *.zip file with *.pyc files in it).
There might be a problem: AFAIK there are some restrictions, and you can
not use all the features of Python in Pyrex, but in that case, you may
put just some vital parts of your programm in Pyrex.
By doing so, you get the same protection as you would have if you've
written your programm in C, and it would be much more difficult to
decompile your code then from *.pyc file, and I believe that this is
what many people are asking for.
Of course, if the value of your programm is high enough, so that some
dedicated cracker wants to crack it, then everything that was written in
other posts fully applies.
I hope this helps a little,
Marijan Tadin