jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 26850
Joined: Sat Jul 30, 2011 7:41 pm

Obfuscation thread

Sun Jan 24, 2016 11:26 am

I was so disappointed that this thread degenerated into mud slinging, insults and general bad behaviours, and because the forum is such a pain to use to delete individual posts from a thread, I've deleted the whole thing.

Apart from Spam threads, this is the first time I have had to delete a whole thread. You should be ashamed of yourselves.

I apologise to the OP for deleting everything, please start a new thread if you still need more information.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

ejolson
Posts: 5595
Joined: Tue Mar 18, 2014 11:47 am

Re: Obfuscation thread

Sun Jan 24, 2016 4:17 pm

I put thought and effort into my posts to this thread and find it discouraging that you have found it a pain to preserve the meaningful replies on the subject of code obfuscation and copy protection. The original post was serious and received reasonable advice that he and others including myself may want to review in the future. Please find the time to clean up the previous thread.

By luck my last post was still in the browser cache. I'm placing it here because I don't know whether the intended recipient ever received it.
mmkw43 wrote:Actually, I'm a complete novice on the subject and just wanted to learn about it (obfuscated code). I just want to make it more difficult for the "average Joe". Using the pyc file may be all I need but also was just looking at something regarding config.txt and noticed you can access the serial # for the PI. Couldn't I also do something in my code at the start of the program to access it and attach one specific SD card to one specific PI?
Though the Pi Foundation is trying to change things, the average Joe doesn't have the computer literacy skills needed to read and understand even non-obfuscated Python code. At the same time, the kids interested in such things seem able to bypass the most sophisticated code obfuscation techniques currently available. Even hardware implemented secure boot systems for phones, tablets, netbooks, video game consoles and other devices are often bypassed within months after product availability.

One solution is to create devices that need network connectivity to operate and then run an essential part of the program on a remote server. This is called software as a service and opens up the potential to monitor exactly what every user does which in turn gives you the ability to license the software on a yearly, monthly or even hourly basis. The marketing strategy goes like this: think of how much money you will save if you only have to pay for the hours that you actually use.

If your customers are law abiding in the first place, then a carefully worded license agreement mentioning relevant copyright and patents should be sufficient. Even in this case, I would suggest watermarking the executables in each deliverable with unique serial numbers and possibly displaying a "licensed to" message when then program first boots.

User avatar
rurwin
Forum Moderator
Forum Moderator
Posts: 4257
Joined: Mon Jan 09, 2012 3:16 pm
Contact: Website

Re: Obfuscation thread

Sun Jan 24, 2016 4:47 pm

What's gone is gone, I'm afraid.

Which is good news for someone because I was very close to handing out a couple of bans this morning. Only the fact that I try to never post until I have woken up properly prevented me doing it. And those would have been my first bans too.

W. H. Heydt
Posts: 12970
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Obfuscation thread

Sun Jan 24, 2016 5:12 pm

On the point about kids being able to defeat security measures, besides that not being a new issue (game companies have been struggling with that for decades), there is an implicit assumption in all security measures. Specifically that the person devising the measures is smarter than the person(s) trying to defeat them. If there is one certain thing in this world it is that there is *always* some person or combination people smarter than you are.

As my father used to say..."Locks are for honest people."

All of that said...code obfuscation is NOT a good security measure.

User avatar
rpdom
Posts: 17426
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Obfuscation thread

Sun Jan 24, 2016 5:24 pm

W. H. Heydt wrote:All of that said...code obfuscation is NOT a good security measure.
I quite agree.
(anecdote time)

I got one of my first programming jobs because I hacked around the obfuscation on some code I "acquired" via semi-legit means.

A friend of mine was working for a company that produced some software for the BBC Micro. The (released) code was mostly in BASIC, but packed down so the variable names were meaningless and lines concatenated as much as possible. The main reason or that was actually to reduce the size of the running code so it would fit in the available memory. I managed to unravel the code to the point I was able to customise it to suit my own needs.

When my friend decided to move on from that company, he suggested me as a replacement, citing the work I had done on the code without access to the original source. When they saw what I had done they took me on straight away. No interview or anything.

With access to the proper source I was able to produce for them a much more streamlined version of the package, with several additional features and other improvements. I also updated my own version and customised that even more heavily.

I still did consultancy work for that company for a few years after I moved on to another job (which didn't involve over 5 hours of commuting by train and tube each day).

User avatar
rurwin
Forum Moderator
Forum Moderator
Posts: 4257
Joined: Mon Jan 09, 2012 3:16 pm
Contact: Website

Re: Obfuscation thread

Sun Jan 24, 2016 5:46 pm

Well if we're anecdoting...
My friend and I bought a game for the BBC Micro. It was a recreation of the 2001, A Space Odyssey docking sequence. You had to dock your shuttle into the rotating space-station.

One time playing it was enough. By the time we had got anywhere near the space-station it had distorted so badly that docking was impossible. So then we started looking at the code to find out why.

The first bit of code to run loaded and decrypted the rest of it. It was simple XOR with FF if I remember correctly but there was probably a little more to it. In the end we found the main program was written in BBC BASIC and the reason that it broke so badly was that the positions of all of the pieces were continually modified with floating point maths. The rounding errors kept adding up until the shape they were representing changed beyond recognition.

At least we got our money's worth cracking it. Their other customers were not so lucky.

mmkw43
Posts: 554
Joined: Tue Dec 24, 2013 6:18 pm

Re: Obfuscation thread

Sun Jan 24, 2016 6:03 pm

Could someone point me to possibly a standard license agreement that I can modify? Thanks for the help -- I did learn about the subprocess module the other day and planning on doing something with the PI serial number. Just need some deterrents and for my users, the license agreement and some serial number tricks will probably suffice.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 26850
Joined: Sat Jul 30, 2011 7:41 pm

Re: Obfuscation thread

Sun Jan 24, 2016 8:15 pm

ejolson wrote:I put thought and effort into my posts to this thread and find it discouraging that you have found it a pain to preserve the meaningful replies on the subject of code obfuscation and copy protection. The original post was serious and received reasonable advice that he and others including myself may want to review in the future. Please find the time to clean up the previous thread.
Deleted is deleted sadly. It would have taken 15-20 minutes to sort that thread out, and it's not worth the mod time. However, we are expecting a new forum system relatively soon, and I have asked for a better way to delete posts (ie checkbox all the posts in a thread you want to delete, which may already be there somewhere but the mod tools are..not intuitive..)
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

User avatar
Kratos
Posts: 395
Joined: Sun Apr 12, 2015 12:41 pm

Re: Obfuscation thread

Sun Jan 24, 2016 8:22 pm

jamesh wrote:However, we are expecting a new forum system relatively soon,
Ooooo...looking forward to it!

Kratos
I have posted mostly with a Pi 2 running either Ubuntu MATE, or Raspbian.

Heater
Posts: 16310
Joined: Tue Jul 17, 2012 3:02 pm

Re: Obfuscation thread

Sun Jan 24, 2016 9:28 pm

W. H. Heydt,
All of that said...code obfuscation is NOT a good security measure.
I agree.

Your father was right "Locks are for honest people."

However, if you have no fences, windows, doors and locks on your home you are not going to get any support from the law when people walk through and take your stuff.

Since the DMCA you gain some protection under the law. No matter how crappy your security measures are, anyone who busts it is clearly showing bad intent.

How well this works practice I have no idea. Seems to me that in recent times major software vendors have realized it does not. Hence the move to keep their code in house and move everything to the "cloud"
Memory in C++ is a leaky abstraction .

Heater
Posts: 16310
Joined: Tue Jul 17, 2012 3:02 pm

Re: Obfuscation thread

Sun Jan 24, 2016 9:36 pm

mmkw43,
Could someone point me to possibly a standard license agreement that I can modify?
After many years of research and consideration I have concluded that the best software license agreement is perhaps this one:
http://www.gnu.org/licenses/old-license ... .0.en.html

Or perhaps this:
https://en.wikipedia.org/wiki/WTFPL

It's your code. It's up to you. Write your own license to suggest whatever terms you like.
Memory in C++ is a leaky abstraction .

W. H. Heydt
Posts: 12970
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Obfuscation thread

Sun Jan 24, 2016 9:46 pm

mmkw43 wrote:Could someone point me to possibly a standard license agreement that I can modify? Thanks for the help -- I did learn about the subprocess module the other day and planning on doing something with the PI serial number. Just need some deterrents and for my users, the license agreement and some serial number tricks will probably suffice.
You could do far worse than start with this one: http://www.gnu.org/licenses/gpl-3.0.en.html

Heater beat me to it....interesting to see us thinking that much alike.

Heater
Posts: 16310
Joined: Tue Jul 17, 2012 3:02 pm

Re: Obfuscation thread

Sun Jan 24, 2016 10:06 pm

Wicked, aren't we :)
Memory in C++ is a leaky abstraction .

User avatar
rurwin
Forum Moderator
Forum Moderator
Posts: 4257
Joined: Mon Jan 09, 2012 3:16 pm
Contact: Website

Re: Obfuscation thread

Sun Jan 24, 2016 10:09 pm

I may agree with you two, but that was clearly not what the poster was asking for. Please stay on topic and avoid soap-boxing.

There's as many license texts as there are products. They are also of course copyrighted by their authors. If you don't get a lawyer to write it, it probably wouldn't stand up in court.

However, you don't need it to. If you get to court you've already lost; the only winner is the lawyer.

So google "EULA", read a few different ones, pick the clauses you want and paraphrase. Treat it like you're writing a program; there's a lot in common between legalese and computerese.

But really, if you want it to stand up in court, get a lawyer to write it.

stderr
Posts: 2178
Joined: Sat Dec 01, 2012 11:29 pm

Re: Obfuscation thread

Sun Jan 24, 2016 10:21 pm

jamesh wrote: However, we are expecting a new forum system relatively soon,
Wouldn't it be nice if it was NNTP? We could use normal usenet newsreaders with proper text based quoting and attributing and threads. It amazes me that the internet has so far regressed from what existed and worked great in the 90s and before.

mikerr
Posts: 2826
Joined: Thu Jan 12, 2012 12:46 pm
Location: UK
Contact: Website

Re: Obfuscation thread

Sun Jan 24, 2016 10:37 pm

stderr wrote:
jamesh wrote: However, we are expecting a new forum system relatively soon,
Wouldn't it be nice if it was NNTP? We could use normal usenet newsreaders with proper text based quoting and attributing and threads. It amazes me that the internet has so far regressed from what existed and worked great in the 90s and before.
Aptly for this thread - the need for moderation and anti-spam largely killed usenet news as a forum, though it's still around and used mainly for downloading films...
Android app - Raspi Card Imager - download and image SD cards - No PC required !

W. H. Heydt
Posts: 12970
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Obfuscation thread

Mon Jan 25, 2016 12:48 am

mikerr wrote:
stderr wrote:
jamesh wrote: However, we are expecting a new forum system relatively soon,
Wouldn't it be nice if it was NNTP? We could use normal usenet newsreaders with proper text based quoting and attributing and threads. It amazes me that the internet has so far regressed from what existed and worked great in the 90s and before.
Aptly for this thread - the need for moderation and anti-spam largely killed usenet news as a forum, though it's still around and used mainly for downloading films...
I know of a fair number of usenet groups that are still in active use. The spammers have probably moved on to other sorts of forums.

User avatar
r3d4
Posts: 983
Joined: Sat Jul 30, 2011 8:21 am
Location: ./

Re: Obfuscation thread

Mon Jan 25, 2016 3:35 am

rurwin wrote:But really, if you want it to stand up in court, get a lawyer to write it.
Is geting a lawyer to write it not just another form of obfuscation?



---
“Qui prior est tempore potior est jure" :roll:

stderr
Posts: 2178
Joined: Sat Dec 01, 2012 11:29 pm

Re: Obfuscation thread

Mon Jan 25, 2016 4:06 am

mikerr wrote:Aptly for this thread - the need for moderation and anti-spam largely killed usenet news as a forum,
Usenet supports moderation and kill files and spam filters. Remember Make.Money.Fast, it was reasonably controlled, at least as well as on some web forum.

But I wasn't talking about usenet, I was talking about using an NNTP server. The main reason that web forums exist is because they allow ads to be shoved at users. Of course sane people cull ads, but many people don't and that drives the various talk pages. I don't believe there are ads here, although I don't actually know. Assuming there aren't any, there isn't any reason to not use a regular news server.

Imagine being able to download your messages and read threads which had all the messages you already read marked as read. You could reply to individuals and follow threads. Your messages included quoted material and were attributed automatically! All this stuff existed back in the 90s and it's just gone because companies like Facebook and Disqus and others and the web sites that support them, they have taken over. But it's not better.

User avatar
rurwin
Forum Moderator
Forum Moderator
Posts: 4257
Joined: Mon Jan 09, 2012 3:16 pm
Contact: Website

Re: Obfuscation thread

Mon Jan 25, 2016 7:39 am

We're getting off topic now, but stderr, you are obviously unaware of how most online citizens use the Internet.

Case in point, a while ago some forum or other happened to google above Facebook for searches of "Facebook". It was immediately inundated with threads complaining about the new Facebook look and feel and how all their pictures and friends had gone.

The web is popular because it is pretty much foolproof.

User avatar
Jednorozec
Posts: 809
Joined: Sun Nov 24, 2013 2:17 pm
Location: Deposit, NY

Re: Obfuscation thread

Mon Jan 25, 2016 10:07 am

rurwin wrote:The web is popular because it is pretty much foolproof.
And any fool can have a website.
The most important leg of a three legged stool is the one that's missing.
It's called thinking. Why don't you try it sometime?

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 26850
Joined: Sat Jul 30, 2011 7:41 pm

Re: Obfuscation thread

Mon Jan 25, 2016 10:29 am

KEEP IT ON TOPIC.

Please
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

hippy
Posts: 8077
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Obfuscation thread

Mon Jan 25, 2016 10:40 am

I am not sure why a GNU or any 'open source' license is being suggested as best when the OP is seeking to keep things closed source and locked-down, discouraging sharing, reverse engineering and attempts to work round protections put in place. Those would seem to be the most inappropriate licenses for such use.

What the OP seems to need is the threat of dire consequences should the end user do anything which the OP wants to prevent. That would usually come as a threat to take legal action should they stray from the license terms.

Short and sweet and to the point would seem to be the best approach. If it scares the end-user into compliance then job done, it doesn't matter so much if it's not enforceable or is only a hollow threat.

Heater
Posts: 16310
Joined: Tue Jul 17, 2012 3:02 pm

Re: Obfuscation thread

Mon Jan 25, 2016 12:57 pm

hippy,

The opensource license thing was just a joke. Perhaps not a very good one.
Memory in C++ is a leaky abstraction .

W. H. Heydt
Posts: 12970
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Obfuscation thread

Tue Jan 26, 2016 2:04 am

hippy wrote:I am not sure why a GNU or any 'open source' license is being suggested as best when the OP is seeking to keep things closed source and locked-down, discouraging sharing, reverse engineering and attempts to work round protections put in place. Those would seem to be the most inappropriate licenses for such use.

What the OP seems to need is the threat of dire consequences should the end user do anything which the OP wants to prevent. That would usually come as a threat to take legal action should they stray from the license terms.

Short and sweet and to the point would seem to be the best approach. If it scares the end-user into compliance then job done, it doesn't matter so much if it's not enforceable or is only a hollow threat.
It's been pointed out that, particularly by using Python, keeping the source code hidden and/or "locked down" isn't really going to do much to protect it. The GNU licenses do provide for charging for support and distribution (costs, anyway). There is, generally speaking these days, more money in *supporting* software than there is in writing it. Given those realities, using a good OSS license is not a bad option, even if it isn't what the OP thinks he wants.

Return to “General discussion”