NYCPHP Meetup

[nycphp-talk] testers wanted - phpguardian.com

John Christian jchristian at hotshed.com
Thu Jun 20 00:16:24 EDT 2002


Charles, 

You are obviously not in a position where you have non stop DoS
attempts, gumby hackers trying to penetrate your servers or employees
wanting to walk away with a cut-and-paste of your source! While
Obfuscation is not the holy grail of internet security - its certainly a
stepping stone to separate the wannabes from the serious attacks and
save unneeded stress. You wouldn't post your root password on your
website, but its possible someone could tap that information or bypass
it altogether - same principles apply at all levels of security - best
practices. 

For $us250 - I think only someone who has got nothing to loose wouldn't
consider the option!

That's just my 2 cents
John




-----Original Message-----
From: charles at softwareprototypes.com
[mailto:charles at softwareprototypes.com] 
Sent: Thursday, 20 June 2002 1:43 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] testers wanted - phpguardian.com


Kyle, at the risk of lacking subtility,

if I loosed some extremely sophisticated search engines (and I've
written AI code and articles for AI Expert) on the intenet on a hundred
PCs and let those search enines run for a year, do you thing I could
find a SINGLE fuckin' competitor of yours who'd even want to see your
fuckin' code? Really now.

You're just fuckin' your clients over and fooling yourself. Try it with
a free-ware, GPLed release of the previous version of your product and
you'll be disgusted at the complete and utter lack of interest EXCEPT by
your existing client base, maybe, if you're lucky.

Code obfuscation is pointless and you'd be surprised how it HURTS you
and HELPS your competitors since they have to reverse engineer with a
clever way of doing what they see your code doing without your own
prejudices. 

They probably come up with shit you never thought of. Much more clever
than anything you came up with in the first place. (I made a MISTAKE
reverse engineering an expert system inference engine and ended up with
a complete enterprise modeling engine which then went nowhere because
the managers of the firm were great real-estate sales men but couldn't
manage an MIS project at gun point. Utter
dick-heads.)

Obfuscation is a mechanical process and if YOU can obfuscate it, it can
be UN-obfuscated almost as fast as you can muddy the waters. (there were
viri written for M$ XL BEFORE XL was even available on
CD-ROM.) And by ditching the variable and function names, (unless the
DDE/OLE maps are available,) the un-obfuscation gets rid of your own
internal slants and just shows things as they really are.

Stop with the code obfuscation BS.

The business and the money is NOT in the product but in the process of
building the product. HOW your company got the product spec in the first
place is much more important than the product to because life is a
moving target and whatever you deliver TODAY is obsolete before you even
deliver it.

Obfuscation is for long-term losers. phpguardian is a sham, a waste of
time and money and utterly counter-productive. AND NOBODY needs it.

-Ch-A.

> From: "Kyle Tuskey" <ktuskey at exostream.com>
> Organization: New York PHP
> Reply-To: talk at nyphp.org
> Date: Wed, 19 Jun 2002 19:55:06 -0400
> To: NYPHP Talk <talk at nyphp.org>
> Subject: RE: [nycphp-talk] testers wanted - phpguardian.com
> 
> I don't necessarily think this product is amazing, but I think
saying
> that code obfuscation isn't needed because "it isn't open source 
> friendly" is a bold statement.  Some of us develop commercial 
> redistributable software that needs obfuscation to protect the
code.  It
> is also a valuable tool for certain contracting circumstances.  I do 
> feel that the zend encoder is the best obfuscator on the market, but 
> then again I'm jaded since I know zeev and support his company.
> 
> 
> -- Kyle
> 
> 
> 
> -----Original Message-----
> From: charles at softwareprototypes.com 
> [mailto:charles at softwareprototypes.com]
> Sent: Wednesday, June 19, 2002 2:00 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] testers wanted - phpguardian.com
> 
> uh, php runs on the server side. It never gets off of the server 
> because that's pointless.
> 
> Just who are we shielding the code from exactly?
> 
> - Ourselves? Get real.
> - The "competition"? It entirely defeats the purpose and spirit of 
> open source.
> - "Crackers?" They just stress test your back-up and recovery 
> procedures.
> 
> Use CVS or SourceSafe or some other file versioning system and put 
> checked-out copies of the the files in a tree under a shared directory

> or under the various home directories.
> 
> This abomination entirely defeats the purpose and spirit of open 
> source. I say ignore it. If you're really in a snit, boycott it.
> 
> Its a __bad__ idea. ON par with charging for your OS.
> 
> -Ch-A.
> 
>> From: Hans Zaunere <zaunere at yahoo.com>
>> Organization: New York PHP
>> Reply-To: talk at nyphp.org
>> Date: Wed, 19 Jun 2002 10:29:14 -0400
>> To: NYPHP Talk <talk at nyphp.org>
>> Subject: [nycphp-talk] testers wanted - phpguardian.com
>> 
>> 
>> There's been some talk lately of source protection.  This package
> looks
>> very nice after a quick glance.
>> 
>>> From: "ade_inovica" <mrwowza at hotmail.com>
>>> 
>>> Hi there
>>> 
>>> We're just about ready to release an application called
> phpguardian -
>>> an application which will protect php source code.  We are really
>>> keen to get some people to try it, so if anyone is interested, 
>>> please visit http://www.phpguardian.com and go to the download
link
>>> 
>>> All the best to everyone!
>>> 
>>> Ade
>> 
>> 
>> __________________________________________________
>> Do You Yahoo!?
>> Yahoo! - Official partner of 2002 FIFA World Cup 
>> http://fifaworldcup.yahoo.com
>> 
> 
> 
> 
> 
> 






More information about the talk mailing list