Software Protection

[dickey]

Hello everyone,

I just wanted to pose a few questions and kick off a discussion in respect of "Software Protection" and Revolution. I am not talking application security from a user or adminstration perspective. I am referring to the protection of the developer or publisher's intellectual property, generally vested in application code, logic, workflow, and supporting files (media, databases etc).

When I focus on software security I think: encoding and obfuscation technologies to prevent reverse engineering, copyright infringement and and unauthorized modification of your code.

Admittedly, as a developer whom has just taken a seat in the Revolution arrivals lounge, I know little of how these matters are dealt with by Revoultion Developers.

Perhaps that is the place to start the discussion. How do others approach these matters?

I am intimately familiar with implementations of application security when using other languages like PHP (for example using Zend Guard), and wondered whether similar products were available for Revolution. Do they exist?

This is also an issue central to application design for me. Whether to separate core intellectual property by only exposing it as perhaps a web service to a client built in Revolution or if it can be well protected build a more complete application in Revolution.

Your thoughts and opinions most welcome, and appreciated.

[Mark]

Dickey,

Perhaps you get more answers if you can come up with a very concrete example.

Best,

Mark

[malte]

What you can do to protect your scripts, is password protecting your stacks. For images you will be unable to avoid the possibility of simply taking a snapshot and for external video and audio files it is a matter of where you store them. If you are thinking along the lines of registration keys, it is a race. A race the developer can not win. If any serious cracker is interested in cracking your keygen, they will. They do it for any app. IMHO, the only thing you can do is try to keep honest people honest. Implement some sort of key generator. That´s fine. Those who crack that, or search for pirated keys won't pay you anyways. The best thing is a registration system that is not getting on honest peoples nerves. If you can avoid calling home, avoid it. I always find it strange and even rude if I buy software and the first thing it does is calling mom and dad, even though I WAS honest and paid for it. I am not a pirate. The software vendor took my money, so pretty please with cream on top, put some trust in your customer.

2 euro cents,

Malte

[andyh1234]

Id agree with Malte, whatever security system you put in place, if someone wants to crack it they will and if people are looking for pirated keys, they dont want to pay. Even if your software is completely secure, if users can then find a key for your competitors software they will just use that instead.

Annoying paying customers is far worse, I have used both standard keys and call-backs in the past, and standard keys resulted in higher sales and less admin than the call backs, even though some keys inevitably found their way out there. At the moment we use the Kagi system as that was around when we first wrote the app, but just got the RunRev mega pack and that includes Zygodat so ill be looking at that as soon as I get my keys (good example btw - got the keys for almost every component in the pack immediately, but 4 days later and still nothing for Zygodat so im about to pop an email off to RunRev which means more admin for them).

Im almost coming round to the fact some pirated keys can be made to work for you, you will get people using them but then when you release the next major update with all the new whistles and toys some will want to upgrade but the software crackers will take a short while to catch up so you could generate some more sales that way.

Just my two penneth!

Andy

[matty47]

I also agree that I am not in favour of "phone home" if only for the reason that if the vendor ever "goes bust", gives up support or otherwise stops the server you may not be able to relicence software (that you have paid for) if for instance you change machines or hardware configuration.
A$0.025
Without hijacking the thread - @andyh1234 I got all the keys for my megabundle except Franklin 3d and Valentina which I was advised by Runrev as having some difficulties ?? Did you receive the keys for those products.

[andyh1234]

Yes, Im in the same position Dickey now, got everything except Franklin and Valentina, im sure they will come through soon.

Just looking at our web stats and 33 people a day come to our site having searched for an unlock key. You cant stop people looking but its nice to know some come to the official site and but (or download the app once they have found a key elsewhere!)

[edljr]

I have enjoyed reading this thread regarding software protection. As a sideline viewer, I appreciate the time folks have taken to share their insights.

Does anyone know of any protection options (not costly) for standalone applications that will be run on computers without Internet Access? The application I am concerned about is planned to be delivered via CD-ROM and electronically. I have considered making this an application that must be run from a CD-ROM only, but I am not sure if I can achieve that goal with revTalk.

So, my specific question is, is it possible to have a program written in revTalk check to see if it is on an optical drive (Mac & PC)? If so, how?

I appreciate any help. I did search the revDictionary for "disk," "drive," and "optical," but I came up dry.

Thanks,
Ed

[Mark]

Hi Ed,

Eventually, all software can be hacked. People who don't intend to pay for your software never will pay, people who are honest need only a small incentive to stay honest. So, it doesn't make much sense to invest hugely in software protection measures. Note that the big companies use no or very sraightforward protection mechanisms.

Without an internet connection, it may be possible to save the serial number of the CD-rom in an encrypted file on the hard disk. If the serial number doesn't match, the user is using a duplicate of the CD. Of course, this only prevents the user from using a different CD after installation, but it is a start.

You might also ask the CD factory whether it is possible to write the serial number of the CD to a file on that CD. That way, whenever the CD is copied, the file and the actual serial number no longer match and you can check whether an original CD is being used.

To find out which drive is the CD drive, just write a script that gets the labels of the drives on Windows, e.g. shell("vol x:") will return the label for the disk in drive X, if available. Find the drive with the right label and you know which drive is your CD. On Mac and Linux, just use "/volumes/nameOfCD/folder/file" as your path.

I hope this helps.

Best,

Mark

[edljr]

Thanks, Mark.


Ed

[redpill]

...When I focus on software security I think: encoding and obfuscation technologies to prevent reverse engineering, copyright infringement and and unauthorized modification of your code.
...

Although I am new to this forum and to Rev, I would like to respond to your enquiry: It looks as though the previous replies were mostly regarding licensing an application (using key generators, etc.) and not about the protection or obfuscation of source code which is what I understand you to mean.

So, does Rev create a binary file when the source is compiled? (Just asking, as I have yet to even create an app.)

If Rev's lineage is from Hypercard / Supercard, then perhaps there are resources available in that area that could lead to a solution.

Or, if all else fails, wrap your product into an encrypted installer. But, then, we come back to square one: key generation and cracked installers by people who don't care to pay you for your creative works anyway.

This is a quite interesting dilemma, but not an impossible one. Consider this: if you copyright (in the U.S.) your source code for real (not just placing a copyright symbol on your splash screen), you could take legal action against someone who steals it. (In a perfect world.)

Just some thoughts.

Cheers

[Mark]

Redpill,

Just placing a copyright symbol is "real" already. At least, in Europe, copyright is imposed immediately and automatically by authorship, even without a copyright symbol. You should also keep in mind that due to international treaties citizens and companies in almost all countries in the world have to respect this copyright. Normally I won't prosecute individual violators of my copyright, because starting a law suit over 14.95 just doesn't make sense, but if a company violates my copyright I will have no problems whatsoever proving that the company owes me big money.

I don't think that there is a dilemma concerning software protection and taking legal action. They don't exclude each other. Sometimes, it is impossible to take legal action against a hacker, sometimes a company violates your copyright despite protection (and not necessarily on purpose), sometimes I put a copyright symbol on my software while I don't care about protection, but I might still raise my hand if I notice that a big company violates my copyright.

Revolution doesn't really compile your scripts. It takes a binary and glues your files to the standalone or simply places the files and the binary in one folder, depending on your settings. Compilation takes place whenever the engine reads a file into memory. Revolution provides an option to protect your code with a password. If you set a password, your code will be encrpyted. It is a weak form of encryption, but if you open the standalone binary in a text editor, you won't find any of your own scripts.

I have created installer software, which I use for many of my products, but it's goal is mainly to make installation easier, it isn't really meant to protect my products, even though it does to some extent.

Unfortunately, software gets usually hacked in a way where no obfuscation, installer, encryption, or copyright would help. Hackers just install the software, wait for the license key window and let a hackers utility enter keys until it finds a working one. Of course, there are ways to prevent this simple hacking method from happening, but those ways may hamper your well-willing, paying customers.

Best regards,

Mark
(Disclaimer: I'm no lawyer blabla etc.)

[jacque]

If you set a password, your code will be encrpyted. It is a weak form of encryption

I'm late to this thread but I just noticed this. It's true encryption was weak in previous versions. It turned out to be a bug in the encryption code. That was fixed in Rev 4.0 and encryption is now as solid as it gets, using SSL.