stupid question about to protect source code of perl web application scripting

dear all,

I have a question. I have written a web application with perl, 
unfortunately everything written in perl, everyone can see all source 
codes I wrote. My question is is there anyway to protect those source 
codes? Compile or encrypt it?


I am looking forward to a favorable reply from you. Thank you.


regards,

Eko
0
eko
7/7/2019 3:01:25 AM
perl.beginners 29344 articles. 3 followers. Follow

11 Replies
26 Views

Similar Articles

[PageSpeed] 15

On 7/6/19 11:01 PM, Eko Budiharto wrote:
> dear all,
>
> I have a question. I have written a web application with perl, 
> unfortunately everything written in perl, everyone can see all source 
> codes I wrote. My question is is there anyway to protect those source 
> codes? Compile or encrypt it?
>

if it is a web application and you don't give out the source, it should 
be inaccessible to users of the application. but in general there is no 
secure way to hide perl source if you want to distribute the program. if 
your application is worth something, then honest users will pay for it 
and you shouldn't need to hide the source.

uri
0
uri
7/7/2019 3:08:45 AM
On 7/6/19 11:10 PM, Eko Budiharto wrote:
> dear Uri,
>
> it is a web application but it is on premise. The user is not honest. 
> That's why I am trying to find a way to protect the source code like 
> in java we can compile into java class and still can be run.

please write to the list and not only to me. use a wide reply for that. 
i cc'ed the list.

i am not sure what you mean by "on premise". what did you write that has 
a dishonest user accessing it? there are ways to hide perl code but they 
are all breakable with some skill needed. if your user isn't skilled or 
doesn't want to get into the source, try one of those methods. you can 
google around and find them.

but it would be better to write the code so that even a dishonest user 
can't break in behind the code. the source code can be useless to them 
if it accesses secure resources (e.g. a database or other server) with a 
login/password that is not in the code.

uri
0
uri
7/7/2019 3:17:18 AM
dear Uri,

it is a web application but it is on premise. The user is not honest. 
That's why I am trying to find a way to protect the source code like in 
java we can compile into java class and still can be run.

I read some articles in the internet. Some method are using PAR, perlc, 
Filter::Crypto, acme::bleach, but I am not sure it will encrypt the 
source code and it still can be runnable.

The application users of course cannot read the source code, but the sys 
admin can access the source code and this sys admin is a dishonest 
person. :)


On 07/07/19 10.08, Uri Guttman wrote:
> On 7/6/19 11:01 PM, Eko Budiharto wrote:
>> dear all,
>>
>> I have a question. I have written a web application with perl, 
>> unfortunately everything written in perl, everyone can see all source 
>> codes I wrote. My question is is there anyway to protect those source 
>> codes? Compile or encrypt it?
>>
>
> if it is a web application and you don't give out the source, it 
> should be inaccessible to users of the application. but in general 
> there is no secure way to hide perl source if you want to distribute 
> the program. if your application is worth something, then honest users 
> will pay for it and you shouldn't need to hide the source.
>
> uri
>
0
eko
7/7/2019 3:21:09 AM
On 7/6/19 11:21 PM, Eko Budiharto wrote:
> dear Uri,
>
> it is a web application but it is on premise. The user is not honest. 
> That's why I am trying to find a way to protect the source code like 
> in java we can compile into java class and still can be run.
>
> I read some articles in the internet. Some method are using PAR, 
> perlc, Filter::Crypto, acme::bleach, but I am not sure it will encrypt 
> the source code and it still can be runnable.
>
> The application users of course cannot read the source code, but the 
> sys admin can access the source code and this sys admin is a dishonest 
> person. :)
>

the whole point of those methods is to 'hide' the code and keep it 
runnable. you can try them out and see that they will keep the code 
runnable. how well they 'hide' the code is a different story.

again, i am asking why this code is so valuable (and you are a new perl 
coder it seems) that hiding it is so important.

you can easily get access to a different server away from this dishonest 
admin and redirect your local script to the other place. since the admin 
won't have access to the other server, it will be safe from viewing.

if this is so valuable, paying $5/month for a basic hosting service 
would be worth your while.

uri
0
uri
7/7/2019 3:27:48 AM
> On 7/6/19 11:21 PM, Eko Budiharto wrote:
> > it is a web application but it is on premise. The user is not honest.
> > That's why I am trying to find a way to protect the source code like
> > in java we can compile into java class and still can be run.

That's a false sense of securtiy. A sufficiently "dishonest" person
can decompile your class files back into source.

It may not be the original source, comments may be lost, function
names and variables may become nonsensical, ( but this last part
typically requires additional obfuscation beyond the standard java
compiler )

But the logic, the interface, and all the metadata required to make
backtraces remotely comprehensible, is all still there for anyone who
wants to look.

> >
> > I read some articles in the internet. Some method are using PAR,
> > perlc, Filter::Crypto, acme::bleach, but I am not sure it will encrypt
> > the source code and it still can be runnable.

Perl is basically the same, you can make it harder for the laziest of
people to obtain readable source code, but ultimately, all these
systems are obfuscation, _not_ protection, they all internally decode
the code first before handing it over to the perl interpreter, as
that's the only way to get it to execute. All an enterprising person
has to do is put some glue between that decoder and the perl runtime,
and the code reveals itself. Or ... you simply need to have that
decoded stuff loaded in memory, and then point deparse at the
in-memory function, and it will spit out something that looks a lot
like the original code.

In short, the time invested in this aspect will basically cost you
money, without materially giving you anything for it. And worse, it
increases the odds that your code will randomly stop working,
frustrating your user, making them swear to never do business with you
again, _AND_ then forcing them to attempt to break your "protection"
in order to fix their broken code.

Just don't bother.

Either simply place the software on a platform where they have no
access to any form of the code whatsoever, not even in its executable
state ( as Uri says ), or put an Iron Clad contract on it that
empowers you to sue the pants off them if they do anything you don't
like with it.

Spend your time working on making a great product that works and makes
them happy so they never *need* to reverse-engineer it, so they never
*need* to compete with you, and you'll have a customer for life.

Don't waste time and money on misguided attempts at "protecting your
code" which will only make you enemies and give your competition the
advantage.

( This stupidity has been tried ad-infinitum in everything, and entire
websites now exist for the sole purpose of distributing defeat
mechanisms, and distributing defeated copies of the software. Its an
arms race, one you will ultimately lose. )

-- 
Kent

KENTNL - https://metacpan.org/author/KENTNL
0
kentfredric
7/7/2019 7:54:30 AM
Hi all,

On Sun, 7 Jul 2019 19:54:30 +1200
Kent Fredric <kentfredric@gmail.com> wrote:

> > On 7/6/19 11:21 PM, Eko Budiharto wrote: =20
> > > it is a web application but it is on premise. The user is not honest.
> > > That's why I am trying to find a way to protect the source code like
> > > in java we can compile into java class and still can be run. =20
>=20
> That's a false sense of securtiy. A sufficiently "dishonest" person
> can decompile your class files back into source.
>=20
> It may not be the original source, comments may be lost, function
> names and variables may become nonsensical, ( but this last part
> typically requires additional obfuscation beyond the standard java
> compiler )
>=20
> But the logic, the interface, and all the metadata required to make
> backtraces remotely comprehensible, is all still there for anyone who
> wants to look.
>=20

In addition see these FAQ replies:

*
https://perl-begin.org/FAQs/freenode-perl/#How_can_I_compile_my_code_to_obs=
cure_.2F_obfuscate_the_source.3F

*
https://github.com/shlomif/Freenode-programming-channel-FAQ/blob/master/FAQ=
_with_ToC__generated.md#how-do-i-hideobscureencrypt-my-source-code-to-preve=
nt-end-users-from-learning-how-it-works

This question is very old...


--=20
-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
http://www.shlomifish.org/humour/bits/facts/Summer-Glau/

Cogito cogito ergo cogito sum --
"I think that I think, therefore I think that I am."
    =E2=80=94 Ambrose Bierce, "The Devil's Dictionary"

Please reply to list if it's a mailing list post - http://shlom.in/reply .
0
shlomif
7/7/2019 11:25:01 AM
dear all,

first of all, thank you for the respond of my inquiry. And then, there 
is a few questions I would like to ask:

1. if someone takes your works and then he steals the credit by claiming 
the work is his work instead of your work, what will you do?

2. if someone has a problem, he does not want to try to find a way to 
solve the problem first, and then he asks your help and then problem 
solved, then he is blaming the person who already helped him and 
claimed, that is his work. what will you do?

This is kind of some images of this dishonest person.

I do not mind to share my code to the person, if he does not have that 
character.

So far, I am using the perl code for web application in a hosting 
server. But this time, I have to create a web application on a on 
premise server.

I am not an expert yet in perl and still learning although I know perl 
when I got still in my university 19 years ago.

regards,

Eko Budiharto


On 07/07/19 14.54, Kent Fredric wrote:
>> On 7/6/19 11:21 PM, Eko Budiharto wrote:
>>> it is a web application but it is on premise. The user is not honest.
>>> That's why I am trying to find a way to protect the source code like
>>> in java we can compile into java class and still can be run.
> That's a false sense of securtiy. A sufficiently "dishonest" person
> can decompile your class files back into source.
>
> It may not be the original source, comments may be lost, function
> names and variables may become nonsensical, ( but this last part
> typically requires additional obfuscation beyond the standard java
> compiler )
>
> But the logic, the interface, and all the metadata required to make
> backtraces remotely comprehensible, is all still there for anyone who
> wants to look.
>
>>> I read some articles in the internet. Some method are using PAR,
>>> perlc, Filter::Crypto, acme::bleach, but I am not sure it will encrypt
>>> the source code and it still can be runnable.
> Perl is basically the same, you can make it harder for the laziest of
> people to obtain readable source code, but ultimately, all these
> systems are obfuscation, _not_ protection, they all internally decode
> the code first before handing it over to the perl interpreter, as
> that's the only way to get it to execute. All an enterprising person
> has to do is put some glue between that decoder and the perl runtime,
> and the code reveals itself. Or ... you simply need to have that
> decoded stuff loaded in memory, and then point deparse at the
> in-memory function, and it will spit out something that looks a lot
> like the original code.
>
> In short, the time invested in this aspect will basically cost you
> money, without materially giving you anything for it. And worse, it
> increases the odds that your code will randomly stop working,
> frustrating your user, making them swear to never do business with you
> again, _AND_ then forcing them to attempt to break your "protection"
> in order to fix their broken code.
>
> Just don't bother.
>
> Either simply place the software on a platform where they have no
> access to any form of the code whatsoever, not even in its executable
> state ( as Uri says ), or put an Iron Clad contract on it that
> empowers you to sue the pants off them if they do anything you don't
> like with it.
>
> Spend your time working on making a great product that works and makes
> them happy so they never *need* to reverse-engineer it, so they never
> *need* to compete with you, and you'll have a customer for life.
>
> Don't waste time and money on misguided attempts at "protecting your
> code" which will only make you enemies and give your competition the
> advantage.
>
> ( This stupidity has been tried ad-infinitum in everything, and entire
> websites now exist for the sole purpose of distributing defeat
> mechanisms, and distributing defeated copies of the software. Its an
> arms race, one you will ultimately lose. )
>
0
eko
7/8/2019 1:44:46 AM
Hi,

On Mon, 8 Jul 2019 08:44:46 +0700
Eko Budiharto <eko.budiharto@gmail.com> wrote:

> dear all,
>=20
> first of all, thank you for the respond of my inquiry. And then, there=20
> is a few questions I would like to ask:
>=20
> 1. if someone takes your works and then he steals the credit by claiming=
=20
> the work is his work instead of your work, what will you do?
>=20

First note that it never happened to me.

Anyway, in this case, I will try to find evidence that I originated the wor=
ks
first, e.g:

* https://en.wikipedia.org/wiki/Wayback_Machine

* https://en.wikipedia.org/wiki/Version_control histories

* https://en.wikipedia.org/wiki/Internet_forum archives

Note that I think the most restrictive licences I used are
https://en.wikipedia.org/w/index.php?title=3DCC-by-nc-sa&redirect=3Dno and
https://en.wikipedia.org/wiki/Affero_General_Public_License which also allow
asserting copyright on derivative changes.

If the person who claims my work is theirs does not sue me for infringement=
, I
will likely not care much:

* https://fc-solve.shlomifish.org/faq.html#abuse_of_fc_solve

* https://www.mail-archive.com/linux-il@cs.huji.ac.il/msg56378.html

> 2. if someone has a problem, he does not want to try to find a way to=20
> solve the problem first, and then he asks your help and then problem=20
> solved, then he is blaming the person who already helped him and=20
> claimed, that is his work. what will you do?
>=20

What do you mean?

> This is kind of some images of this dishonest person.
>=20
> I do not mind to share my code to the person, if he does not have that=20
> character.
>=20
> So far, I am using the perl code for web application in a hosting=20
> server. But this time, I have to create a web application on a on=20
> premise server.
>=20
> I am not an expert yet in perl and still learning although I know perl=20
> when I got still in my university 19 years ago.
>=20
> regards,
>=20
> Eko Budiharto
>=20
>=20

--=20
-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
The Case for File Swapping - http://shlom.in/file-swap

Do you always begin conversations this way?
    =E2=80=94 https://en.wikipedia.org/wiki/The_Princess_Bride_%28film%29

Please reply to list if it's a mailing list post - http://shlom.in/reply .
0
shlomif
7/8/2019 7:56:09 AM
>> 2. if someone has a problem, he does not want to try to find a way to
>> solve the problem first, and then he asks your help and then problem
>> solved, then he is blaming the person who already helped him and
>> claimed, that is his work. what will you do?
>>
> What do you mean?
>
>
dear Shlomi,

what I mean in this one is the person has a problem, but he does not 
make any efforts first, he just ask the solution from someone else. 
After the problem is solved, he blames the person.

For example:

I have a problem and then I do not do anything or make my own effort and 
then I ask your help to solve it for me. After the problem solved 
because you helped me, I blame you instead you being grateful and thank 
you and plus I said to anyone that I am the one who solved if instead of 
your name.
0
eko
7/8/2019 8:07:41 AM
On Mon, 8 Jul 2019 15:07:41 +0700
Eko Budiharto <eko.budiharto@gmail.com> wrote:

> >> 2. if someone has a problem, he does not want to try to find a way to
> >> solve the problem first, and then he asks your help and then problem
> >> solved, then he is blaming the person who already helped him and
> >> claimed, that is his work. what will you do?
> >> =20
> > What do you mean?
> >
> > =20
> dear Shlomi,
>=20
> what I mean in this one is the person has a problem, but he does not=20
> make any efforts first, he just ask the solution from someone else.=20
> After the problem is solved, he blames the person.
>=20
> For example:
>=20
> I have a problem and then I do not do anything or make my own effort and=
=20
> then I ask your help to solve it for me. After the problem solved=20
> because you helped me, I blame you instead you being grateful and thank=20
> you and plus I said to anyone that I am the one who solved if instead of=
=20
> your name.
>=20

I understand now, thanks. That seems like a very ungrateful and "bastard"y
thing to do. I won't like it, but not sure how i'll act.

--=20
-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
http://youtu.be/xZLwtc9x4yA - Anime in Real Life!! (Parody)

An apple a day keeps the doctor away.
Two apples a day will keep two doctors away.
    =E2=80=94 one of Shlomi Fish=E2=80=99s relatives

Please reply to list if it's a mailing list post - http://shlom.in/reply .
0
shlomif
7/8/2019 12:06:52 PM
On Mon, 8 Jul 2019 at 13:45, Eko Budiharto <eko.budiharto@gmail.com> wrote:
>
> dear all,
>
> first of all, thank you for the respond of my inquiry. And then, there
> is a few questions I would like to ask:
>
> 1. if someone takes your works and then he steals the credit by claiming
> the work is his work instead of your work, what will you do?


1. Check the relevant licenses or contracts you issued your code under.
2. If they are in contravention of these, threaten them with a lawsuit .
3. If possible, follow through with lawsuit

> 2. if someone has a problem, he does not want to try to find a way to
> solve the problem first, and then he asks your help and then problem
> solved, then he is blaming the person who already helped him and
> claimed, that is his work. what will you do?

1. Refuse to offer them future support

Understandably, both of these situations are not nice to be in.
However, the hard reality is you *cannot* protect code from
unscrupulous agents who you've given it to beyond legal manners.

No more than you can prevent somebody from modifying a vehicle you sold them.

You can make it more difficult, and you can perform various legal
moves (Copyright law, Trademark violations, Patent Law) to
deter/restrict it, but you cannot prevent the act.

Take the humble padlock. If you think you can make a 100% secure
padlock, you're kidding yourself. There's a collection of youtube
channels of people defeating these in various ways, some of them are
defeated in *comically* short time. I doubt there are many, if any,
that are completely immune to attack.

The time and money invested in these are frequently a total waste.

They only serve as a *deterrent* against all but the most persistent attacker.

Because "The lock is only as good as the thief is honest".

Sure, it does make sense to have some sort of arbitrary deterrent, but
what will _you_ do after you spend all this time investing in said
deterrent, and your user trivially defeats it on day 1 *anyway*?

Its not like you leave your house unlocked, but ultimately, if the
lock is broken, what will you do then?

If your lock is defeated and your stuff is stolen, that's when you
call up the legal system.

Software is not a whole bunch different.

The only way to completely secure something against a user meddling
with it against your wishes, is simply to put it in a place they can't
execute *any* attacks.

As then, they have to violate your physical security to contravene the software.

( What are you going to do if an aggrieved user bashes down the door
to your server cabinet and steals your hard drive? You'll call the
police. Software isn't exactly going to save you here. But it might
help you if your hard drives are encrypted. But you're still gonna
need to call the police )

-- 
Kent

KENTNL - https://metacpan.org/author/KENTNL
0
kentfredric
7/9/2019 1:27:59 PM
Reply: