[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

Protecting ruby/rails source: How?

Carmine Moleti

5/25/2006 3:12:00 PM

Hi to everyone,

I have to develop a new application and there are good chances that it
will be "web" based (it should be used in an intranet).

Now I'm evaluating ruby and rails as the tool of choice. They both are
great stuff!

There's one thing stopping me so far, and it's that the application's
source code will be available to everyone.
I thought I could put all the registration/license info in a database
table giving the "normal" user a read only access, thus cutting out
"week end"'s pirates.

This, tough, won't stop more skilled "pirates" to modify source code in
order to:
- Ignore the registration/license table
- Use an "ad hoc" one to fake a valid license

Are there any methods to avoid this?
I've read about ruby source code obfuscators, but there seems to be
noone available (production ready) yet. Still, are they useful for this
purpose?

I forgot to say that the app has to be installed both on windows systems
and on linux systems.

Thanks in advance for your reply.

Regards,
Carmine
12 Answers

coachhilton

5/25/2006 3:51:00 PM

0

I made a post about this topic a couple of years ago. The idea I was
going with at the time was obfuscation. However, the Ruby guru's out
there convinced me that even that wouldn't stop a serious hacker from
being able to read or modify the code. As I recall, the final answer
was to use the Ruby to C converter and compile an exe, which would be
much harder to modify. Here's the thread for that post, in the event
its at all useful to you.

Ken

http://groups.google.com/group/comp.lang.ruby/browse_thread/thread/aa4d1a0a1c596763/f31a34f803c20654?q=obfuscate&rnum=1#f31a34...

Jonathan Heinen

5/25/2006 3:58:00 PM

0

Hello,

why the code would be aviable to every one if you write a web based Ruby
on Rails application?
Didn't i understand you well? Do you want to write webserver aplication
useable by a browser as client? Or will you write clients in ruby
connecting with databases?

Jonathan
Carmine Moleti schrieb:
> Hi to everyone,
>
> I have to develop a new application and there are good chances that it
> will be "web" based (it should be used in an intranet).
>
> Now I'm evaluating ruby and rails as the tool of choice. They both are
> great stuff!
>
> There's one thing stopping me so far, and it's that the application's
> source code will be available to everyone.
> I thought I could put all the registration/license info in a database
> table giving the "normal" user a read only access, thus cutting out
> "week end"'s pirates.
>
> This, tough, won't stop more skilled "pirates" to modify source code in
> order to:
> - Ignore the registration/license table
> - Use an "ad hoc" one to fake a valid license
>
> Are there any methods to avoid this?
> I've read about ruby source code obfuscators, but there seems to be
> noone available (production ready) yet. Still, are they useful for this
> purpose?
>
> I forgot to say that the app has to be installed both on windows systems
> and on linux systems.
>
> Thanks in advance for your reply.
>
> Regards,
> Carmine

Carmine Moleti

5/25/2006 4:22:00 PM

0

Hello Jonathan,

> why the code would be aviable to every one if you write a web based Ruby
> on Rails application?
> Didn't i understand you well? Do you want to write webserver aplication
> useable by a browser as client? Or will you write clients in ruby
> connecting with databases?

Sorry for not being enough clear, english is not my language.

There are two kinds of applications waiting to be developed (separately)
and that have nothing to do with each other.

The first one is a ruby with GUI and DB and no rails.
The second one is a rails one.

In either cases, the source code will be placed at a "short" reach from
the users' hands.

I mean, I'm not the owner of the customers servers/workstations hw,
hence I can impose very few limits on what contents can be seen/touched
by anyone via permissions.
This means that there's the possibility that the sources can be modified
without my company's permission. As I wrote before, a ruby skilled
person could modify the sources to bypass the license protecion code and
thus copying the application to someone else.

Thanks for your help.

psychotron

5/25/2006 6:02:00 PM

0

Carmine Moleti <carmineaskme@askme.ask> wrote:

> I have to develop a new application and there are good chances that it
> will be "web" based (it should be used in an intranet).
>
> Now I'm evaluating ruby and rails as the tool of choice. They both are
> great stuff!
>
> There's one thing stopping me so far, and it's that the application's
> source code will be available to everyone.
> I thought I could put all the registration/license info in a database
> table giving the "normal" user a read only access, thus cutting out
> "week end"'s pirates.
>
> This, tough, won't stop more skilled "pirates" to modify source code in
> order to:
> - Ignore the registration/license table
> - Use an "ad hoc" one to fake a valid license

I think is a waste of time. A basic protection is good and the poor
skilled crackers are gone.

Perhaps rubyscript2exe can be useful in your case
<http://www.erikveen.dds.nl/rubyscript2exe/inde...

But the source is copied in temp location upon execution...

--
Alberto Careccia - http://w...
"The only thing that I know is that I don't know anything" -Socrates

Carmine Moleti

5/26/2006 8:09:00 AM

0

Psychotron ha scritto:

> I think is a waste of time. A basic protection is good and the poor
> skilled crackers are gone.
>
> Perhaps rubyscript2exe can be useful in your case
> <http://www.erikveen.dds.nl/rubyscript2exe/inde...
>
> But the source is copied in temp location upon execution...

I do agree it's a waste of time, since there's nothing to prevent source
modification and/or copying the whole app yet.

Well I guess I'll have to report this to the application's stakeholder,
then if he wish to take this "risk" ok, else I'll have to :( evaluate
something different than ruby/rails.

Neil Wilson

5/26/2006 8:10:00 AM

0

<i>Are there any methods to avoid this? </i>

Yes. Use legal action and random audits. The solution is not technical
but legal. You source is copyright and the user has only a license to
employ. If they break that license you sue them.

Trying to hide a program is a waste of time. It makes maintenance
harder and doesn't stop anybody who wants to working out what your
program does.

If it is more important to protect your code than to be able to develop
it quickly then I would question why you are using Ruby and Rails in
the first place.

Stop looking for a technical solution. There isn't one to this
particular problem. The solution lies in the reporting and auditing
process.

Carmine Moleti

5/26/2006 10:52:00 AM

0

First off, thanks for your reply.

Neil Wilson ha scritto:
> <i>Are there any methods to avoid this? </i>
>
> Yes. Use legal action and random audits. The solution is not technical
> but legal. You source is copyright and the user has only a license to
> employ. If they break that license you sue them.

This is a good solution, and doing random auditings, will allow to check
wether or not there have been souce code modifications. What about
unauthorized redistributions?

> Trying to hide a program is a waste of time. It makes maintenance
> harder and doesn't stop anybody who wants to working out what your
> program does.

I do agree. So, do you think the only solution to avoid unauthorized
redistribution is to "pray" and hope in customers' behaving good?

> If it is more important to protect your code than to be able to develop
> it quickly then I would question why you are using Ruby and Rails in
> the first place.

Protect the code is not more important, it's also important to me (if
there's a way to).

I'm trying to push ruby/rails in the company's business, and "code
hiding" is something I'll be asked about for sure.

Tom Agnew

5/26/2006 11:09:00 PM

0

Are file system protections an option? Can you use strict permissions
or ACL's on your production files?

Carmine Moleti wrote:
> First off, thanks for your reply.
>
> Neil Wilson ha scritto:
>
>> <i>Are there any methods to avoid this? </i>
>>
>> Yes. Use legal action and random audits. The solution is not technical
>> but legal. You source is copyright and the user has only a license to
>> employ. If they break that license you sue them.
>
>
> This is a good solution, and doing random auditings, will allow to check
> wether or not there have been souce code modifications. What about
> unauthorized redistributions?
>
>> Trying to hide a program is a waste of time. It makes maintenance
>> harder and doesn't stop anybody who wants to working out what your
>> program does.
>
>
> I do agree. So, do you think the only solution to avoid unauthorized
> redistribution is to "pray" and hope in customers' behaving good?
>
>> If it is more important to protect your code than to be able to develop
>> it quickly then I would question why you are using Ruby and Rails in
>> the first place.
>
>
> Protect the code is not more important, it's also important to me (if
> there's a way to).
>
> I'm trying to push ruby/rails in the company's business, and "code
> hiding" is something I'll be asked about for sure.

Neil Wilson

5/27/2006 10:21:00 AM

0

<i>I do agree. So, do you think the only solution to avoid unauthorized
redistribution is to "pray" and hope in customers' behaving good?</i>

Not quite that negative. More speak softly and carry a big stick. Not
quite sure if that
particular metaphor translates that well though.

Essentially the solution is process based, not technology based.
Hacking and illegal duplication is a fact of life, but, once you feel
the need to go beyond pragmatic security controls to something that is
going to make life harder, then the solution is with the lawyers not
the programmers.

And I think you'll find that the majority of people are honest and only
too happy to show that they are complying with their licences.

NeilW

Carmine Moleti

5/29/2006 7:39:00 AM

0

Hi Tom,

Tom Agnew ha scritto:
> Are file system protections an option? Can you use strict permissions
> or ACL's on your production files?

As of now, I'm evaluating the following possibilities:

- On Windows platforms (almost exclusively workstations):
- The installer takes care of license code validation
- It's a "poor" solution but I've to provide one :)

- On Linux platforms:
- This environment won't be too "hostile" since almost every linux
server at our customer's places is managed by us :)


Thanks