Protecting Code

[kee nethery]

On Apr 23, 2004, at 10:53 PM, Cubist at aol.com wrote:

> sez kee at kagi.com:
>> If I was going to create Revolution code that I wanted to give to
>> others but that I wanted to make sure that they could not change in 
>> the
>> Revolution Editor, how would I protect it? I'd want people to be able
>> to call it and compile it into their standalone apps. My preference is
>> to not use an XCMD kind of thing because I'd like to write once, lock,
>> and then allow people to deploy everywhere.
>    I don't think what you're asking for is possible. If you don't want 
> to go
> the XCMD route, your code *will* be plain vanilla ASCII at some point, 
> and
> anyone who wants to muck with said code will be able to do so at that 
> point.
> Perhaps if I knew what goal you're striving towards, I might be able 
> to offer some
> helpful advice: Are you trying to stop code thieves, or are you trying 
> to
> ensure that the user will always have a pristine copy of your code in 
> case they
> *do* screw it up horribly, or what?

We are going to have a Kagi Registration Module for RunRev and that 
module will basically be a mini-store that someone would embed into 
their RunRev application. When the customer decides to buy, the app 
would call the KRM, it would gather customer purchase data (including 
credit card info) bundle it up, send it securely to Kagi, Kagi 
processes it, generates a registration code, and sends that code back 
to the app, the app installs the code and the entire purchase cycle is 
complete.

Want to make sure that it is less than trivial for a malicious coder to 
take the KRM, and hook extra code into it that would send the credit 
card data to some other server that should not be receiving credit card 
data, embed the modified KRM into software that they are selling, and 
then use KRM to steal credit cards.

I realize that in the end, everything is modifiable if you really know 
your stuff and that less than trivial does not mean impossible. The 
goal is to make it difficult to make these kinds of mods. Ultimately 
the protection against this happening is that we will see the pattern 
and we will be able to call in police to arrest the software author who 
might do such a thing. I'd just like to make it difficult for someone 
to consider this avenue of crime. It would be a rather stupid crime 
given that only one person could commit it (the software author) and 
the proof would be easy to establish (their software, their server).

The reason for regular runrev code versus an XCMD is that we would like 
to "write once run everywhere" by making this as standard as possible.

Thanks, Kee Nethery