NYCPHP Meetup

Getin' paranoid with php code protection

charles at softwareprototypes.com charles at softwareprototypes.com
Thu Jun 20 13:29:06 EDT 2002


Who's paying who for what, when and where seems to be something
nobody has touched on in this code obfuscation discussion.

1) Who paid for the development? 

Somebody else or yourself? If you did code-for-hire, its not your
call and not your problem. If its your code, read on.

2) How much did it cost? How much is it worth, now in a week, in a
year? 

If it cost a lot (>$10k,) to develop its probably tied into some
domain specific experience and would cost that much again to
integrate it into another site. If its less, if not worth stealing,
or protecting by making the maintainance of it more difficult. 

Specially since its machine code (even VM code) so its trivial to
disassemble, map variable and function names onto and if you've got a
DDE/OLE type convention, its dishearteningly easy to recover
everything but stack/frame temp var names.

3) Why was it developed?

4) Why would anyone want steal it?

How is whoever owns the code making money off of this code? Are you
selling your code or could/should you use any code that escapes as
free advertising for your coding skills.

5) How vulnerable is it anyway?

You haven't told me how is the thief supposed to steal these php
pages since php runs on the server and those pages should be spewing
html out to the client.

5a) Having php code on anything but the server-side is, uh, silly,
because it won't get executed and therefore I certainly wouldn't want
to steal a page which was written to have some php code making its
way out of the server because the writer obviously didn't know what
he was doing.

5b) If you're worried about somebody FTPing into your box, remember,
you can password protect subdirectories, make them belong to another
user, make the files non-world visible but group accessible. If
someone does steal your pages (that a stupid concept since your
publishing them on your web site for everyone to access,) he'd have
to also duplicate your database schema and your database content.
That gets a bit harder to pull off and is prosecutable. 

Complusion:

Stealing code is not that easy and not that simple. Stealing code and
getting it to work is orders of magnitude more complicated.

Unless your php code could be turned outright into a shrink-wrappable
solution for a broad class of problems, I wouldn't worry about it
getting loose.

Why would you be writing a "shirk"-ware app in php? C++ would give
you that kind of control while saddling you with the responsability
for maintainance, updates, correctness, training and support.

You're right, " We live in a world where the majority of Napster
users honestly think they're not doing anything wrong."

And you know what? They're right. 

As galling as it might seem to you to hear this, since you're NOT
living in a perfect world, using a business model which requires that
everybody play by rules that can't be enforced is stupid, leads to
oppression, coercion, supression, censorship. All the things we hate
and chafe at the very suggestion of.

Find some other, more reality-based, way to make a buck.

Rent out your skills and your ability to learn adapt and code. You
have nothing else thats truly your own.

The distance between past and future is a user-illusion, a dream-thin
shock-wave. Be a shock-wave rider or wipe out. Those are the choices.

-Ch-A.




More information about the talk mailing list