Hi

This is a theoritical case, not actually happening but may do soon:

Say you are selling a script; any script will do. It doesn't cost much and it doesn't enhance anything beyond belief. Just a script. As you are SELLING this script and not giving it away for free under and free license (GPL etc) do you/how do you:

- Do you encode the script so no-one can read it but it will work
- If you do encode it, this will not stop people from copying and pasting the whole thing to one another so therefore how do you protect it from being copied?
- How do you make sure the correct people are running only scripts they have bought? Site keys which relate to a database - bit much for every connection.

Basically: encoded? Protection? Security?

Any comments/suggestions?

You should at least obfuscate your code. But it is best to encode it.

I've used the IonCube encoder in the past. It costs like $ 200 or something but it works really wel. It has options to make sure your script can only run on 1 (or more) IP or mac addresses. You can also add a date limit, etc.

There is also the Zend encoder, but that one is really expensive $ 2000 or more.

Good Luck,

Marv.

I dont see the point really in obfuscating the code, both methods have been cracked too. I believe vBulletin dont do any obfuscating of their code and although it does get pirated most people do pay for it.

True, obfuscating doesn't help against pirating.

But there is no way you can protect your code without encoding it. There are of course other methods like a built in 'phone home' function which connects to your site every now and then to check if al is well, but you still need to encode your source code to cover it up.

I know both ioncube and the zend encoder have been cracked in the past (the new versions haven't been cracked yet), but there really isn't any good alternative.

If you find one, please let me know.

Good luck,

Marv.

You should sell a support licence for it; anyone who runs it without one gets no support or updates.

Another thing you can do is put some small code in it which allows you to find (public) instances of this application on Google - then you can periodically find them and compare it with the people who have licences.

You can then offer those people who are running unlicenced copies a reasonable cost support licence, or suggest that they might want to stop running it, or you could contact their hosting provider and report the violation.

In the UK, providers will pull the plug on anything that is even suspected of being dodgy (even if it turns out to be legit) due to the hideous threat of litigation and possible costs occuring to the provider.

You can also node-lock it and have a warning on the top of the source code "Warning: modifying this code violates your licence conditions and will render this application unsupported and probably stop it from working"

Mark

Selling software is wrong on principle. You're not selling a boxed product containing some code with no support.

You're selling a supported product that the customer has update / maintenance channels, and some degree of assurance of continued development.

Mark

i like the methods of 'phoning home', but how would the connection be made - with a site key? I guess this would need some kind of maths function to produce a unique key. encoding sounds expensive and i thought the server hand to run the decoders in order for them to work. can a encoding script be made?

also markR i don't understand your post previously to this one and what a support license is - give it away free then charge for assistance? or only give assistance with details checked on a database?

thanks

Selling software is wrong on principle. You're not selling a boxed product containing some code with no support.

You're selling a supported product that the customer has update / maintenance channels, and some degree of assurance of continued development.

MarkI don't agree with this - software is essentially intellectual property, the same as if you wrote a book or painted a picture. So why would selling it be "wrong on principle"?

I agree with Elizabeth,

Selling software isn't 'wrong'. It depends on the type of software whether you sell it without support or deliver the product on a support license base.

There are several ways to create phone home functionality for your application: through a socket connection, SOAP, xml, etc. There is a catch however.
Most webservers are located behind a firewall and aren't able to communicate to the outside. Should those webservers be able to run your software? What happens if your service is down for a while?, etc.

Creating your own encoder is difficult. Most existing encoders are able to load the decoders on runtime using the dl() function. ( http://www.php.net/dl ). This means you don't need to install any software on your server. Most shared hosts however disable this feature because of security reasons. Using an encoder is only financialy expensive; I haven't been able to detect any increase in server load when using encoded software.

Greets,

Marv

I believe MarkR was talking about the bigger problem...and that's 'intellectual property' not really being intellectual property. If you aren't aware, somebody owns the patent to the whole concept of websites using databases...so you are all in violation of their patent.

That kind of thing...generally speaking. If you want your kids to ever have a chance to innovate for real then you will support that they put an end of some of the frivolous crap that is being trademarked, copyrighted, etc. MS filed for something like 3,000 patents last year...eh? And they have tried to patent important generic parts of CSS in the past (I think they even got one of them). See the point...

But yes, people should still certainly be able to protect their own work. If you want to sell it and you can sell it then why do you need to encrypt it though? Simply don't give it away for free and put it in the TOS that it's only for one site, one company, one license, etc. Just don't violate any open source licenses in there like plenty of folks are doing (that's called hypocrisy).

Personally, I will exhaust every search possible to find free software solutions to things...and/or...I will only pay for things that are really and truly well made and suit my near exact needs.

Hmm.... there's a debating point for a students' debate if anyone has any students lying around handy: "Software: Product or Service?"

Hmm.... there's a debating point for a students' debate if anyone has any students lying around handy: "Software: Product or Service?"I think it's a product, just like a book. (Unless it's something like gmail or flickr that are being hosted for you - then it's a service). Support for said software (or technology book) would be a separate service that the author can choose to offer as a complement.

And as far as Vaska's comment about patents go - I don't think there is anything against using a device or method that's been patented... that's sort of the point. It is available to use as you see fit, not to create and then say "I made this up". I don't think anybody is claiming they created the concept of using databases and the web. Why would you patent something and then say "I made this cool invention, but nobody can ever use it?"

I use and eat patented things every day. It's just a means to an end, is it not? I use patented word processing software to write my intellectual property-- does that mean I am in violation of patent laws? Gosh I hope not, otherwise any writer who's ever used Word will be in a mess of trouble. Likewise with any graphic artist who's used Photoshop or Illustrator...

Just my 2 cents, but of course we all know that IANAL :)

I don't have a lot of experience with this, but I will tell you what I did for a limited use application...

I wrote some software for a specific client, but it was through an intermediary, who I suspected might want to take it and use it for another one of their clients or even for themselves.

I did the following:

1) hired a lawyer and made the company I was working for sign a contract for reselling one instance of the application. if they used it in any other way, they would be in violation of the contract and be held accountable.

2) put some code that would email me if it were to be run on another server other than what was intended. the code would also shut down the ap and notify the user that it was running on a server other than what was intended and if it was run again, it would delete all the files in that directory on the server (I did write a script that WOULD do just that if my warnings were not heeded...)

3) I encrypted the whole shebang...

And as far as Vaska's comment about patents go - I don't think there is anything against using a device or method that's been patented... that's sort of the point. It is available to use as you see fit, not to create and then say "I made this up". I don't think anybody is claiming they created the concept of using databases and the web. Why would you patent something and then say "I made this cool invention, but nobody can ever use it?"

What kind of 'usage' though? Using a product is one thing. But, using the product to develop your product is another matter.

Using a text editor is not 'usage' of a patent or a method. But using the method in your method is usage of a patent.

And there are big issues with that. And big money to be made for those who own the patents/copyrights/trademarks/whatever. For future generations to come as well.

The real problem is that corporations are increasingly patenting 'concept' patents to describe an idea - just like the people who own the patent for websites that use databases. Of course, I doubt they would be willing to lose all their karma points by suing, but they have grounds to make the attempt. And they shouldn't even have that...

When you consider emerging markets and their disinterest in primarily the Western worlds hold of patent rights, rules and regulations you can see the storm. China could care less about a patent unless they too own it (I won't go into how if you want to start a business in China you basically have to give up partial or all ownership rights to many things).

Furthermore, it's mostly large corporations who pursue litigation over patent violations - not the small folks (although it does happen).

People do still need the ability to protect their work and ideas, but patent/IP laws are outdated and the patent offices are years behind schedule. A friend of mine just happens to be an IP attorney...over the course a weekend I learned all kinds of very scary things.

When the time comes, I want my kids to have the opportunity to have ideas without some multinational corporation having pre-existing and pursuable rights to 'related' concepts.

Anyways, I think I've take this thread for a tangent... ;)

Quite. It's not use that patents are supposed to prevent, it's imitation. If you invent the autofoo, patenting it gives you certain rights to benefit materially from that invention (I'm sure you expect some reward for your effort, and quite right too); this includes control of the manufacture of autofoos (if someone wants to manufacture autofoos, they need to get your permission and presumably pay you a licensing fee). What happens to those autofoos once they've left the market and gone into the street is not up to you, but you can crack down on any rival autofoo manufacturers who are out there stealing food from the mouths of your children.

Same with patenting the concept of an online shopping cart, or downloadable video, paying by credit card over the Internet, or thumbnail images (just to pick three examples of patented concepts). If you've patented one of those, then you've got legal prevention against anyone else building the same thing for their site or distribution. Because every time someone comes up with the idea of putting a thumbnail on their site (since that is what was patented - not the implementation, but the concept), then that's an infringment on your patent rights (assuming that you're the person who patented the thumbnail image: I'm guessing you're not:)).

Of course, if you don't have a product, then they're legally screwed - they can't use yours and they can't make their own. But that's their problem, not yours, right?

Incidentally, I'm reminded of the occasional myths along the lines that someone invents a car engine that runs on water, but the oil barons bought the patent for squillions of dollars so that no-one would be able to manufacture it (and they're certainly not about to start). Problem with the story, of course, is that patents are necessarily a matter of public record.


All in all, Rodney H.'s point (1) is the strongest defence (I'm arguing with myself about whether the contract should mention the gist of point (2)....).

And if, ultimately, your software becomes widely pirated despite points (1), (2), and (3), then at least it's your software that's being pirated, and with luck rogue users will become so hitched to it that when they do want to go legit there's only one supplier (which is why Microsoft isn't too upset about the number of illicit copies of Windows floating around in China.)

Seems clear to me. Software is a product. Writing software is a service. Just like cars are a product and repairing them (because they WILL break) is a service. Finished software can be packaged and sold just like an apple or a bicycle or paper clips. Difference is that software can be effortlessly copied and distributed.

The issue of patents is moot as far as the product/service debate. Furthermore, i seem to recall some fine nitpicking point about patents. You can't patent a concept, but only a device, substance, method, or process.

Isn't the original question really about how to earn money from what you do and prevent other people from stealing your market share either through piracy or competition? Sounds like Rodney has it down to me.

Furthermore, i seem to recall some fine nitpicking point about patents. You can't patent a concept, but only a device, substance, method, or process.

Then why is it happening?

There are a bunch of IP blogs out there...do some research and you'll find out that things are not nearly so standardized.

1) hired a lawyer and made the company I was working for sign a contract for reselling one instance of the application. if they used it in any other way, they would be in violation of the contract and be held accountable.

2) put some code that would email me if it were to be run on another server other than what was intended. the code would also shut down the ap and notify the user that it was running on a server other than what was intended and if it was run again, it would delete all the files in that directory on the server (I did write a script that WOULD do just that if my warnings were not heeded...)

3) I encrypted the whole shebang...

So anyway, i like this idea (excluding the expensive lawyer - i'm sure i can knock something up or find something out there that will suit my needs).

Rodney any clues on this server checking marlarkey? I'm guessing you must use server name and then relate it to a variable somewhere (but where??) and then run the rest of the script. the hard part would be ensuring people don't delete that function and then replace it with 'return true;'

as for patents etc; if i've worked hard on something then i don't want any old person nicking the code and the acknowledgement of my hard works and effort

checking the server is easy.


if ($_SERVER['SERVER_NAME'] !='www.paidclient.com') {
mail('rodney@rodney.com', 'blah', 'blah');
}


You'd put that in some file that is included by every single page in your project (which is a good thing to have because it can connect to the db, perform certain environment setup, etc.).

As for removing it, Rodney has encrypted the source code. Good encryption is not only impossible to decipher but has a checksum which prevents alteration of the code.

as for patents etc; if i've worked hard on something then i don't want any old person nicking the code and the acknowledgement of my hard works and effort

a parent is different than a copyright:
http://en.wikipedia.org/wiki/Patent
http://en.wikipedia.org/wiki/Copyright

patent is paid for right, copyright is automatic on anything written?

Read the links ;)

As for removing it, Rodney has encrypted the source code. Good encryption is not only impossible to decipher but has a checksum which prevents alteration of the code.

That is correct, sneakyimp.

I checked the server variable, and if it isn't what it out: Ka-blooey...

The encrypted files are essential. They cannot alter the code.

They cannot remove the SNIPPET because they do not KNOW what that snippet is when it has been mangled by a good encryption tool.

I did something else, too, like defined a variable in my config file, that is included in all the other pages. If they remove the config and try to use something else, not that they could, and that variable is NOT defined, then: Ka-blooey...

It was my fail-safe.