Securing Tomcat Applications from Reverse Engineering

[Kranti™ K K Parisa]

Hi,

Can anyone throw some light on this topic, seems it is possible to convert
the tomcat+tomcat web applications to native code to secure them and further
to run them on client machines easily.

Please check this.

http://www.excelsior-usa.com/jetinternals.html

How could we achieve this without the above tool? Because the pricing of the
above tool is very costly.

Looking forward to hear some ideas for this.

Best Regards,
Kranti K K Parisa

Re: Securing Tomcat Applications from Reverse Engineering

[Leon Rosenberg]

Do you develop web applications and deliver them to the client, so
that they can install your applications on their machines without your
access to the machine?

Leon

2010/1/21 Kranti™ K K Parisa :
> Hi,
>
> Can anyone throw some light on this topic, seems it is possible to convert
> the tomcat+tomcat web applications to native code to secure them and further
> to run them on client machines easily.
>
> Please check this.
>
> http://www.excelsior-usa.com/jetinternals.html
>
> How could we achieve this without the above tool? Because the pricing of the
> above tool is very costly.
>
> Looking forward to hear some ideas for this.
> 
> Best Regards,
> Kranti K K Parisa
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat Applications from Reverse Engineering

[Peter Crowther]

2010/1/21 Kranti™ K K Parisa 

> Hi,
>
> Can anyone throw some light on this topic, seems it is possible to convert
> the tomcat+tomcat web applications to native code to secure them and
> further
> to run them on client machines easily.
>
> Please check this.
>
> http://www.excelsior-usa.com/jetinternals.html
>
> How could we achieve this without the above tool? Because the pricing of
> the
> above tool is very costly.
>
> Well, you could always spend the developer-years to create your own version
of that tool... which would probably be *more* costly.  That's the company I
was aware of; I'm not aware of anyone else who has developed similar
technology.

No application is ever 100% secure from reverse engineering.  So, you have a
business decision to take.  How good is "good enough" protection for your
application?  Who are you defending against, and what kind of effort are you
assuming they're willing to put into the reverse-engineering?

As pointed out by another poster, you can compile JSPs to classes and you
can obfuscate your code.  Is that "good enough"?

- Peter

Re: Securing Tomcat Applications from Reverse Engineering

[André Warnier]

Kranti™ K K Parisa wrote:

Hi,

Can anyone throw some light on this topic, seems it is possible to convert
the tomcat+tomcat web applications to native code to secure them and further
to run them on client machines easily.

Please check this.

http://www.excelsior-usa.com/jetinternals.html

How could we achieve this without the above tool? Because the pricing of the
above tool is very costly.


Hi.
Open Source software is very nice. But some developers have to make 
money to live, also.
Presumably, if the above product is expensive, it is because it is 
complex and took a lot of time to develop.
Nobody is stopping you from inventing and developing your own method, 
and you can then also decide to release it as open source or charge for 
it what you think is the right price.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat Applications from Reverse Engineering

[André Warnier]

Peter Crowther wrote:

2010/1/21 Kranti™ K K Parisa 



How could we achieve this without the above tool? Because the pricing of
the
above tool is very costly.

Well, you could always spend the developer-years to create your own version
of that tool... which would probably be *more* costly. 



I'll add something to that, just for the sake of it.
I personally find this situation ironic : here we have someone who wants 
to protect their own code, presumably so that they can charge the 
customer for a copy of it, in order to get back their cost of 
development and some justified profit for their work.
But the same people are apparently unwilling to pay for a product that 
would allow them to do so, and is sold on the same terms.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Securing Tomcat Applications from Reverse Engineering

[Joseph Morgan]

http://proguard.sourceforge.net/


-Original Message-
From: Kranti(tm) K K Parisa [mailto:kranti.par...@gmail.com] 
Sent: Thursday, January 21, 2010 5:05 AM
To: Tomcat Users List
Subject: Securing Tomcat Applications from Reverse Engineering

Hi,

Can anyone throw some light on this topic, seems it is possible to
convert
the tomcat+tomcat web applications to native code to secure them and
further
to run them on client machines easily.

Please check this.

http://www.excelsior-usa.com/jetinternals.html

How could we achieve this without the above tool? Because the pricing of
the
above tool is very costly.

Looking forward to hear some ideas for this.
<http://www.excelsior-usa.com/jetinternals.html>
Best Regards,
Kranti K K Parisa

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat Applications from Reverse Engineering

[David kerber]

Joseph Morgan wrote:

http://proguard.sourceforge.net/


-Original Message-
From: Kranti(tm) K K Parisa [mailto:kranti.par...@gmail.com] 
Sent: Thursday, January 21, 2010 5:05 AM

To: Tomcat Users List
Subject: Securing Tomcat Applications from Reverse Engineering

Hi,

Can anyone throw some light on this topic, seems it is possible to
convert
the tomcat+tomcat web applications to native code to secure them and
further
to run them on client machines easily.

Please check this.

http://www.excelsior-usa.com/jetinternals.html

How could we achieve this without the above tool? Because the pricing of
the
above tool is very costly.


How much is it worth to you to protect your IP against your estimate of 
the likely hacker effort to steal it (which only you can judge)?  Is it 
more than the cost of that package?  If so, then that package is 
reasonably priced.  If not, then you need to pursue some of the other 
avenues to protect it that have already been mentioned, such as 
obfuscation, etc.


D


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat Applications from Reverse Engineering

[Mark H. Wood]

Reverse engineering is not a technical problem; it is a legal
problem.  You need a lawyer, not a program.

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Friends don't let friends publish revisable-form documents.


pgpRmc02QIJYG.pgp
Description: PGP signature

Re: Securing Tomcat Applications from Reverse Engineering

[Kranti™ K K Parisa]

Hi Leon,

That's correct. we develop and deploy on client machines. but we want to
secure the code. please suggest.

Best Regards,
Kranti K K Parisa



On Thu, Jan 21, 2010 at 4:45 PM, Leon Rosenberg <
rosenberg.l...@googlemail.com> wrote:

> Do you develop web applications and deliver them to the client, so
> that they can install your applications on their machines without your
> access to the machine?
>
> Leon
>
> 2010/1/21 Kranti™ K K Parisa :
> > Hi,
> >
> > Can anyone throw some light on this topic, seems it is possible to
> convert
> > the tomcat+tomcat web applications to native code to secure them and
> further
> > to run them on client machines easily.
> >
> > Please check this.
> >
> > http://www.excelsior-usa.com/jetinternals.html
> >
> > How could we achieve this without the above tool? Because the pricing of
> the
> > above tool is very costly.
> >
> > Looking forward to hear some ideas for this.
> > 
> > Best Regards,
> > Kranti K K Parisa
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Securing Tomcat Applications from Reverse Engineering

[Kranti™ K K Parisa]

Well there are soo many comments on the cost of IP and other tools. when we
are a small team started working on a web based product with open source
tools, for sure we can't spend too much on the tools to protect the IP
rights. because once we deploy for few clients, if its a good product, what
if they steal the code and also ideas. i agree to have legal terms and all
that stuff. but that would be a big story for us being small.

so just wanted to see if anything available to protect our work, ideas
(ideas at code implementation level by using different opensource
technologies, well there are many companies who started like this).

anyways thanks for the comments, i would love to share if we invent anything
in this process, because small is big and it matters :)

Best Regards,
Kranti K K Parisa



On Thu, Jan 21, 2010 at 5:00 PM, André Warnier  wrote:

> Peter Crowther wrote:
>
>> 2010/1/21 Kranti™ K K Parisa 
>>
>>
>>> How could we achieve this without the above tool? Because the pricing of
>>> the
>>> above tool is very costly.
>>>
>>> Well, you could always spend the developer-years to create your own
>>> version
>>>
>> of that tool... which would probably be *more* costly.
>>
>
>
> I'll add something to that, just for the sake of it.
> I personally find this situation ironic : here we have someone who wants to
> protect their own code, presumably so that they can charge the customer for
> a copy of it, in order to get back their cost of development and some
> justified profit for their work.
> But the same people are apparently unwilling to pay for a product that
> would allow them to do so, and is sold on the same terms.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Securing Tomcat Applications from Reverse Engineering

[anthonyvierra]

Hi Kranti - Honestly if the ideas in the product are that valuable anyone
who uses the product with a web browser, print screen, and paint can fully
mock up the application and send the mockups to development. Anything that
is deployed on a server that is out of your control, is exactly that. I
understand your need as: "To remotely deploy a tomcat application to a
customer server." This is the root of the issue. Have you considered a
hosted model for delivery?

2010/1/21 Kranti™ K K Parisa 

> Well there are soo many comments on the cost of IP and other tools. when we
> are a small team started working on a web based product with open source
> tools, for sure we can't spend too much on the tools to protect the IP
> rights. because once we deploy for few clients, if its a good product, what
> if they steal the code and also ideas. i agree to have legal terms and all
> that stuff. but that would be a big story for us being small.
>
> so just wanted to see if anything available to protect our work, ideas
> (ideas at code implementation level by using different opensource
> technologies, well there are many companies who started like this).
>
> anyways thanks for the comments, i would love to share if we invent
> anything
> in this process, because small is big and it matters :)
>
> Best Regards,
> Kranti K K Parisa
>
>
>
> On Thu, Jan 21, 2010 at 5:00 PM, André Warnier  wrote:
>
> > Peter Crowther wrote:
> >
> >> 2010/1/21 Kranti™ K K Parisa 
> >>
> >>
> >>> How could we achieve this without the above tool? Because the pricing
> of
> >>> the
> >>> above tool is very costly.
> >>>
> >>> Well, you could always spend the developer-years to create your own
> >>> version
> >>>
> >> of that tool... which would probably be *more* costly.
> >>
> >
> >
> > I'll add something to that, just for the sake of it.
> > I personally find this situation ironic : here we have someone who wants
> to
> > protect their own code, presumably so that they can charge the customer
> for
> > a copy of it, in order to get back their cost of development and some
> > justified profit for their work.
> > But the same people are apparently unwilling to pay for a product that
> > would allow them to do so, and is sold on the same terms.
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>

Re: Securing Tomcat Applications from Reverse Engineering

[Leon Rosenberg]

Hello Kranti,

first of all I strongly believe in open source software and don't like
to obfuscate things. But well.

1. If you have internet connectivity on the target server you could
only deploy a skeleton of your application and load the
protect-worthly classes
directly from your servers with own classloading with some funny
remoteid exchange system. This way even the compile version of the
application will never be directly available on customers hard drive
(you must consider swapping and memory snapshots, but modern OSes
encode them). It's cheap but will probably add a load of complexity,
which you have to manage and, logically, your customer have to pay.

2. precompile jsps and use a code obfuscator on the jsps and compiled
classes (they replace all private methods and variables with a1,a2,
and so on). There are some on the market, more or less good. Use also
css/js minifier, they obfuscate as well.

3. create a genial encryption algorithm with some one-time passwords
and let the customers call you each time they restart the server for a
new password. Maybe charge them per password. The server can then
decrypt the classes with the password before it starts the webapp.

4. put the code and tomcat onto a usb stick with unreadable filesystem
and hack yourself into the usb protocol. Drawback: you'll have to
patch the browsers to accept urls like usb://localhost/yourapp.

5. stop wasting your time and invest it into developing new features
and actually selling your product. If its worth copying it will be
copied this way or other. So far no one has managed to protect its
software against copying, better concentrate on things you really CAN
achieve.

regards
Leon

2010/1/21 Kranti™ K K Parisa :
> Well there are soo many comments on the cost of IP and other tools. when we
> are a small team started working on a web based product with open source
> tools, for sure we can't spend too much on the tools to protect the IP
> rights. because once we deploy for few clients, if its a good product, what
> if they steal the code and also ideas. i agree to have legal terms and all
> that stuff. but that would be a big story for us being small.
>
> so just wanted to see if anything available to protect our work, ideas
> (ideas at code implementation level by using different opensource
> technologies, well there are many companies who started like this).
>
> anyways thanks for the comments, i would love to share if we invent anything
> in this process, because small is big and it matters :)
>
> Best Regards,
> Kranti K K Parisa
>
>
>
> On Thu, Jan 21, 2010 at 5:00 PM, André Warnier  wrote:
>
>> Peter Crowther wrote:
>>
>>> 2010/1/21 Kranti™ K K Parisa 
>>>
>>>
 How could we achieve this without the above tool? Because the pricing of
 the
 above tool is very costly.

 Well, you could always spend the developer-years to create your own
 version

>>> of that tool... which would probably be *more* costly.
>>>
>>
>>
>> I'll add something to that, just for the sake of it.
>> I personally find this situation ironic : here we have someone who wants to
>> protect their own code, presumably so that they can charge the customer for
>> a copy of it, in order to get back their cost of development and some
>> justified profit for their work.
>> But the same people are apparently unwilling to pay for a product that
>> would allow them to do so, and is sold on the same terms.
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Securing Tomcat Applications from Reverse Engineering

[Jeffrey Janner]

André -
Welcome to the world of small business, for-profit software development.
This is a more common attitude that you might be aware.
Jeff

-Original Message-
From: André Warnier [mailto:a...@ice-sa.com] 
Sent: Thursday, January 21, 2010 5:31 AM
To: Tomcat Users List
Subject: Re: Securing Tomcat Applications from Reverse Engineering

Peter Crowther wrote:
> 2010/1/21 Kranti(tm) K K Parisa 
> 
>>
>> How could we achieve this without the above tool? Because the pricing of
>> the
>> above tool is very costly.
>>
>> Well, you could always spend the developer-years to create your own version
> of that tool... which would probably be *more* costly. 


I'll add something to that, just for the sake of it.
I personally find this situation ironic : here we have someone who wants 
to protect their own code, presumably so that they can charge the 
customer for a copy of it, in order to get back their cost of 
development and some justified profit for their work.
But the same people are apparently unwilling to pay for a product that 
would allow them to do so, and is sold on the same terms.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



***  NOTICE  *
This message is intended for the use of the individual or entity to which 
it is addressed and may contain information that is privileged, 
confidential, and exempt from disclosure under applicable law.  If the 
reader of this message is not the intended recipient or the employee or 
agent responsible for delivering this message to the intended recipient, 
you are hereby notified that any dissemination, distribution, or copying 
of this communication is strictly prohibited.  If you have received this 
communication in error, please notify us immediately by reply or by 
telephone (call us collect at 512-343-9100) and immediately delete this 
message and all its attachments.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat Applications from Reverse Engineering

[Pid]

On 21/01/2010 16:24, Leon Rosenberg wrote:


5. stop wasting your time and invest it into developing new features
and actually selling your product. If its worth copying it will be
copied this way or other. So far no one has managed to protect its
software against copying, better concentrate on things you really CAN
achieve.

regards
Leon


I agree with this statement.  Legal issues aside, you can expend 
significant time and effort on protecting your code and a competitor can 
just copy the style, workflow and application logic with probably about 
as much effort as it would take to decompile the byte code, tidy it up & 
get their devs to understand how it works.


In fact, the latter would probably be *more* effort, and you can't use 
technical means to defend against the former.


If you're really paranoid about your code, don't let it out of your 
control, run your app as a hosted service, (as previously suggested).



As Leon says: focus your efforts on making a truly great product and let 
other people worry about keeping up with you.



p



On Thu, Jan 21, 2010 at 5:00 PM, André Warnier  wrote:


Peter Crowther wrote:


2010/1/21 Kranti™ K K Parisa



How could we achieve this without the above tool? Because the pricing of
the
above tool is very costly.

Well, you could always spend the developer-years to create your own
version


of that tool... which would probably be *more* costly.




I'll add something to that, just for the sake of it.
I personally find this situation ironic : here we have someone who wants to
protect their own code, presumably so that they can charge the customer for
a copy of it, in order to get back their cost of development and some
justified profit for their work.
But the same people are apparently unwilling to pay for a product that
would allow them to do so, and is sold on the same terms.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Securing Tomcat Applications from Reverse Engineering

[Dmitry Leskov]

To list owner: I am not sure if vendors are prohibited from posting comments to 
this list, if they are, let me know and I won't post next time.

Excelsior JET is not an IDE that every developer must have on his/her 
workstation. It is more like a setup generator. Typically, a team of developers 
working on a particular project would purchase one or two licenses. As a 
result, the smaller the team, the higher is the price per developer. For small 
companies, especially for early stage startups that do not yet have paying 
customers, this surely may be a deal breaker.

We have therefore created a special licensing program that has been working 
very well for our smaller customers since mid-2008:

http://www.excelsior-usa.com/store/jetmb.html

Please do not hesitate to email me directly if you have any questions.

Sincerely,

Dmitry Leskov
Excelsior LLC

P.S. The main information page for Tomcat Web apps protection is
http://www.excelsior-usa.com/protect-java-web-applications.html


> Well there are soo many comments on the cost of IP and other tools. when we
> are a small team started working on a web based product with open source
> tools, for sure we can't spend too much on the tools to protect the IP
> rights. because once we deploy for few clients, if its a good product, what
> if they steal the code and also ideas. i agree to have legal terms and all
> that stuff. but that would be a big story for us being small.
> 
> so just wanted to see if anything available to protect our work, ideas
> (ideas at code implementation level by using different opensource
> technologies, well there are many companies who started like this).
> 
> anyways thanks for the comments, i would love to share if we invent anything
> in this process, because small is big and it matters :)
> 
> Best Regards,
> Kranti K K Parisa
> 
> 
> 
> On Thu, Jan 21, 2010 at 5:00 PM, André Warnier  wrote:
> 
> > Peter Crowther wrote:
> >
> >> 2010/1/21 Kranti> (tm)>  K K Parisa 
> >>
> >>
> >>> How could we achieve this without the above tool? Because the pricing of
> >>> the
> >>> above tool is very costly.
> >>>
> >>> Well, you could always spend the developer-years to create your own
> >>> version
> >>>
> >> of that tool... which would probably be *more* costly.
> >>
> >
> >
> > I'll add something to that, just for the sake of it.
> > I personally find this situation ironic : here we have someone who wants to
> > protect their own code, presumably so that they can charge the customer for
> > a copy of it, in order to get back their cost of development and some
> > justified profit for their work.
> > But the same people are apparently unwilling to pay for a product that
> > would allow them to do so, and is sold on the same terms.
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >

RE: Securing Tomcat Applications from Reverse Engineering

[Travis Beech]

The GCC compiler for java allows you to compile java down to native code
(AOC - Ahead Of time Compiling). I have never tried it before but it's open
source and free to use. 

That being said I'm not certain that compiling your class files down to
native code is going to solve your problem since java web apps are dependent
on the class files generated by your application. Unless I'm missing out on
some functionality of Tomcat that I'm aware of I think your best bet is
obfuscation.

Travis Beech


-Original Message-
From: KrantiT K K Parisa [mailto:kranti.par...@gmail.com] 
Sent: Thursday, January 21, 2010 3:05 AM
To: Tomcat Users List
Subject: Securing Tomcat Applications from Reverse Engineering

Hi,

Can anyone throw some light on this topic, seems it is possible to convert
the tomcat+tomcat web applications to native code to secure them and further
to run them on client machines easily.

Please check this.

http://www.excelsior-usa.com/jetinternals.html

How could we achieve this without the above tool? Because the pricing of the
above tool is very costly.

Looking forward to hear some ideas for this.
<http://www.excelsior-usa.com/jetinternals.html>
Best Regards,
Kranti K K Parisa


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat Applications from Reverse Engineering

[Kranti™ K K Parisa]

Hi Leon,

Thanks for the notes, may be parallel to our sales we may spend some time on
the points you mentioned to protect our selves in the future.

Best Regards,
Kranti K K Parisa



On Thu, Jan 21, 2010 at 9:54 PM, Leon Rosenberg <
rosenberg.l...@googlemail.com> wrote:

> Hello Kranti,
>
> first of all I strongly believe in open source software and don't like
> to obfuscate things. But well.
>
> 1. If you have internet connectivity on the target server you could
> only deploy a skeleton of your application and load the
> protect-worthly classes
> directly from your servers with own classloading with some funny
> remoteid exchange system. This way even the compile version of the
> application will never be directly available on customers hard drive
> (you must consider swapping and memory snapshots, but modern OSes
> encode them). It's cheap but will probably add a load of complexity,
> which you have to manage and, logically, your customer have to pay.
>
> 2. precompile jsps and use a code obfuscator on the jsps and compiled
> classes (they replace all private methods and variables with a1,a2,
> and so on). There are some on the market, more or less good. Use also
> css/js minifier, they obfuscate as well.
>
> 3. create a genial encryption algorithm with some one-time passwords
> and let the customers call you each time they restart the server for a
> new password. Maybe charge them per password. The server can then
> decrypt the classes with the password before it starts the webapp.
>
> 4. put the code and tomcat onto a usb stick with unreadable filesystem
> and hack yourself into the usb protocol. Drawback: you'll have to
> patch the browsers to accept urls like usb://localhost/yourapp.
>
> 5. stop wasting your time and invest it into developing new features
> and actually selling your product. If its worth copying it will be
> copied this way or other. So far no one has managed to protect its
> software against copying, better concentrate on things you really CAN
> achieve.
>
> regards
> Leon
>
> 2010/1/21 Kranti™ K K Parisa :
> > Well there are soo many comments on the cost of IP and other tools. when
> we
> > are a small team started working on a web based product with open source
> > tools, for sure we can't spend too much on the tools to protect the IP
> > rights. because once we deploy for few clients, if its a good product,
> what
> > if they steal the code and also ideas. i agree to have legal terms and
> all
> > that stuff. but that would be a big story for us being small.
> >
> > so just wanted to see if anything available to protect our work, ideas
> > (ideas at code implementation level by using different opensource
> > technologies, well there are many companies who started like this).
> >
> > anyways thanks for the comments, i would love to share if we invent
> anything
> > in this process, because small is big and it matters :)
> >
> > Best Regards,
> > Kranti K K Parisa
> >
> >
> >
> > On Thu, Jan 21, 2010 at 5:00 PM, André Warnier  wrote:
> >
> >> Peter Crowther wrote:
> >>
> >>> 2010/1/21 Kranti™ K K Parisa 
> >>>
> >>>
>  How could we achieve this without the above tool? Because the pricing
> of
>  the
>  above tool is very costly.
> 
>  Well, you could always spend the developer-years to create your own
>  version
> 
> >>> of that tool... which would probably be *more* costly.
> >>>
> >>
> >>
> >> I'll add something to that, just for the sake of it.
> >> I personally find this situation ironic : here we have someone who wants
> to
> >> protect their own code, presumably so that they can charge the customer
> for
> >> a copy of it, in order to get back their cost of development and some
> >> justified profit for their work.
> >> But the same people are apparently unwilling to pay for a product that
> >> would allow them to do so, and is sold on the same terms.
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Securing Tomcat Applications from Reverse Engineering

[André Warnier]

Dmitry Leskov wrote:


We have therefore created a special licensing program that has been working 
very well for our smaller customers since mid-2008:

http://www.excelsior-usa.com/store/jetmb.html


To the OP : there, you see, a discount !
And you did not even have to ask.
;-)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat Applications from Reverse Engineering

[Kranti™ K K Parisa]

Hi,

Thanks for the info I shall take a look at the new licensing link you have
sent.

Best Regards,
Kranti K K Parisa



On Fri, Jan 22, 2010 at 11:17 AM, Dmitry Leskov
wrote:

> To list owner: I am not sure if vendors are prohibited from posting
> comments to this list, if they are, let me know and I won't post next time.
>
> Excelsior JET is not an IDE that every developer must have on his/her
> workstation. It is more like a setup generator. Typically, a team of
> developers working on a particular project would purchase one or two
> licenses. As a result, the smaller the team, the higher is the price per
> developer. For small companies, especially for early stage startups that do
> not yet have paying customers, this surely may be a deal breaker.
>
> We have therefore created a special licensing program that has been working
> very well for our smaller customers since mid-2008:
>
> http://www.excelsior-usa.com/store/jetmb.html
>
> Please do not hesitate to email me directly if you have any questions.
>
> Sincerely,
>
> Dmitry Leskov
> Excelsior LLC
>
> P.S. The main information page for Tomcat Web apps protection is
> http://www.excelsior-usa.com/protect-java-web-applications.html
>
>
> > Well there are soo many comments on the cost of IP and other tools. when
> we
> > are a small team started working on a web based product with open source
> > tools, for sure we can't spend too much on the tools to protect the IP
> > rights. because once we deploy for few clients, if its a good product,
> what
> > if they steal the code and also ideas. i agree to have legal terms and
> all
> > that stuff. but that would be a big story for us being small.
> >
> > so just wanted to see if anything available to protect our work, ideas
> > (ideas at code implementation level by using different opensource
> > technologies, well there are many companies who started like this).
> >
> > anyways thanks for the comments, i would love to share if we invent
> anything
> > in this process, because small is big and it matters :)
> >
> > Best Regards,
> > Kranti K K Parisa
> >
> >
> >
> > On Thu, Jan 21, 2010 at 5:00 PM, André Warnier  wrote:
> >
> > > Peter Crowther wrote:
> > >
> > >> 2010/1/21 Kranti> (tm)>  K K Parisa 
> > >>
> > >>
> > >>> How could we achieve this without the above tool? Because the pricing
> of
> > >>> the
> > >>> above tool is very costly.
> > >>>
> > >>> Well, you could always spend the developer-years to create your own
> > >>> version
> > >>>
> > >> of that tool... which would probably be *more* costly.
> > >>
> > >
> > >
> > > I'll add something to that, just for the sake of it.
> > > I personally find this situation ironic : here we have someone who
> wants to
> > > protect their own code, presumably so that they can charge the customer
> for
> > > a copy of it, in order to get back their cost of development and some
> > > justified profit for their work.
> > > But the same people are apparently unwilling to pay for a product that
> > > would allow them to do so, and is sold on the same terms.
> > >
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
>

[OT] Re: Securing Tomcat Applications from Reverse Engineering

[Peter Crowther]

2010/1/21 Mark H. Wood 

> Reverse engineering is not a technical problem; it is a legal
> problem.  You need a lawyer, not a program.
>
> Mmm, yes and no.  Burglary is also a legal problem, but I have locks (on /
around the things I want to keep, of a cost and quality appropriate to my
expected loss) as well as being able to engage a lawyer if required.

- Peter

Re: [OT] Securing Tomcat Applications from Reverse Engineering

[André Warnier]

Kranti™ K K Parisa wrote:

Well there are soo many comments on the cost of IP and other tools. when we
are a small team started working on a web based product with open source
tools, for sure we can't spend too much on the tools to protect the IP
rights. because once we deploy for few clients, if its a good product, what
if they steal the code and also ideas. i agree to have legal terms and all
that stuff. but that would be a big story for us being small.

so just wanted to see if anything available to protect our work, ideas
(ideas at code implementation level by using different opensource
technologies, well there are many companies who started like this).

anyways thanks for the comments, i would love to share if we invent anything
in this process, because small is big and it matters :)

The basic principle is : if you developed it, then it is your code, and 
it is your decision what you do with it and how you sell it.
But do not forget that, more than the code itself, it is generally the 
quality of the service that you provide to your customers that will matter.


But I have another suggestion for you : you indicated this product that 
would allow to encrypt your code, and mentioned that it was expensive.
OK. Now, presumably, these people know why they developed it, and why 
they charge the price that they do.  Why do you not contact them, 
explain your situation, and ask them to explain why you should pay that 
price for their product ?
They must have arguments, and maybe they will convince you.  Or maybe 
they will offer you a discount.

;-)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Securing Tomcat Applications from Reverse Engineering

[André Warnier]

Jeffrey Janner wrote:

André -
Welcome to the world of small business, for-profit software development.
This is a more common attitude that you might be aware.


I was being somewhat ironic.  Being myself a small for-profit software 
development business, I am well aware of the circumstances.

;-)
But here are another few arguments (apart from the ones I already 
mentioned in another post) :
If you are a small software business whose customers are businesses that 
use your product, and your product is good and your prices are 
reasonable, chances are good that none of your customers is even going 
to bother taking the time to try to copy your product.  If they 
themselves are small/medium businesses, what would they do with it ? 
They have their own business to run.  They are not a software company, 
you are.
And if they are big, they will never risk their reputation and their 
money trying it.
And, agreeing with another post by Leon, you are probably much better 
off spending your time improving and supporting your product, than 
developing ways to try protecting it from unfair copying.
Things would be different of course if your product was something 
destined for the mass-market, or if you intend to sell it through 
resellers, or if your customers are themselves software companies.
I will not mention the fact that in all of the above cases, your highest 
level of risk is probably inside, not outside.
And if you really insist on protecting your code, then I am afraid that 
Java is not the best choice of tool.
And I'll finish with another sarcastic note about code obfuscation : in 
my experience, it is not really necessary to put a lot of effort into 
this.  Other people's code tends to be naturally obfuscated, all by itself.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [OT] Securing Tomcat Applications from Reverse Engineering

[Jeffrey Janner]

Good points all around.  We had the same issues with our CEO worrying about 
copies of the app being passed around when we started targeting markets where 
piracy is fairly common.  Eventually, we convinced him the best way to address 
them was via legal and marketing techniques.  That is, a very tight license and 
convincing the customer that our product provides a unique tactical advantage 
that they would want to give to their competitors. We did make a few technical 
product changes to aid in the license compliance arena, one of which was 
incorporating a license key that is uniquely and obviously tied to the company 
licensing the product and stored along with the data.  The theory being that a 
customer (or his employee) might be willing to fork over a copy of the code, 
but not their proprietary data.
It's not perfect, but it seems to get the job done.

-Original Message-
From: André Warnier [mailto:a...@ice-sa.com] 
Sent: Thursday, January 21, 2010 4:56 PM
To: Tomcat Users List
Subject: Re: [OT] Securing Tomcat Applications from Reverse Engineering

Jeffrey Janner wrote:
> André -
> Welcome to the world of small business, for-profit software development.
> This is a more common attitude that you might be aware.

I was being somewhat ironic.  Being myself a small for-profit software 
development business, I am well aware of the circumstances.
;-)
But here are another few arguments (apart from the ones I already 
mentioned in another post) :
If you are a small software business whose customers are businesses that 
use your product, and your product is good and your prices are 
reasonable, chances are good that none of your customers is even going 
to bother taking the time to try to copy your product.  If they 
themselves are small/medium businesses, what would they do with it ? 
They have their own business to run.  They are not a software company, 
you are.
And if they are big, they will never risk their reputation and their 
money trying it.
And, agreeing with another post by Leon, you are probably much better 
off spending your time improving and supporting your product, than 
developing ways to try protecting it from unfair copying.
Things would be different of course if your product was something 
destined for the mass-market, or if you intend to sell it through 
resellers, or if your customers are themselves software companies.
I will not mention the fact that in all of the above cases, your highest 
level of risk is probably inside, not outside.
And if you really insist on protecting your code, then I am afraid that 
Java is not the best choice of tool.
And I'll finish with another sarcastic note about code obfuscation : in 
my experience, it is not really necessary to put a lot of effort into 
this.  Other people's code tends to be naturally obfuscated, all by itself.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



***  NOTICE  *
This message is intended for the use of the individual or entity to which 
it is addressed and may contain information that is privileged, 
confidential, and exempt from disclosure under applicable law.  If the 
reader of this message is not the intended recipient or the employee or 
agent responsible for delivering this message to the intended recipient, 
you are hereby notified that any dissemination, distribution, or copying 
of this communication is strictly prohibited.  If you have received this 
communication in error, please notify us immediately by reply or by 
telephone (call us collect at 512-343-9100) and immediately delete this 
message and all its attachments.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [OT] Securing Tomcat Applications from Reverse Engineering

[Dmitry Leskov]

So far only some aspects of code protection have been considered in this 
(off-)topic, namely preventing illegal use and protecting the code itself as a 
piece of intellectual property. However, there are at least two other scenarios 
that may make protection against reverse engineering desirable:

- a malicious user inside the organization that runs the application, tampering 
with the code in order to disrupt its operation, steal sensitive data, and so 
on. 

- a hacker decompiling a legally obtained trial/demo version of a boxed app, 
looking for security vulnerabilities.

Note that both do not need to comprehend how the entire application works, they 
only need to learn enough to determine the vector of attack. 

Dmitry



> -Original Message-
> From: Jeffrey Janner [SMTP:jeffrey.jan...@polydyne.com]
> Sent: Tuesday, January 26, 2010 12:09 AM
> To:   Tomcat Users List; Tomcat Users List
> Subject:  RE: [OT] Securing Tomcat Applications from Reverse Engineering
> 
> Good points all around.  We had the same issues with our CEO worrying about 
> copies of the app being passed around when we started targeting markets where 
> piracy is fairly common.  Eventually, we convinced him the best way to 
> address them was via legal and marketing techniques.  That is, a very tight 
> license and convincing the customer that our product provides a unique 
> tactical advantage that they would want to give to their competitors. We did 
> make a few technical product changes to aid in the license compliance arena, 
> one of which was incorporating a license key that is uniquely and obviously 
> tied to the company licensing the product and stored along with the data.  
> The theory being that a customer (or his employee) might be willing to fork 
> over a copy of the code, but not their proprietary data.
> It's not perfect, but it seems to get the job done.
> 
> -Original Message-
> From: André Warnier [mailto:a...@ice-sa.com] 
> Sent: Thursday, January 21, 2010 4:56 PM
> To: Tomcat Users List
> Subject: Re: [OT] Securing Tomcat Applications from Reverse Engineering
> 
> Jeffrey Janner wrote:
> > André -
> > Welcome to the world of small business, for-profit software development.
> > This is a more common attitude that you might be aware.
> 
> I was being somewhat ironic.  Being myself a small for-profit software 
> development business, I am well aware of the circumstances.
> ;-)
> But here are another few arguments (apart from the ones I already 
> mentioned in another post) :
> If you are a small software business whose customers are businesses that 
> use your product, and your product is good and your prices are 
> reasonable, chances are good that none of your customers is even going 
> to bother taking the time to try to copy your product.  If they 
> themselves are small/medium businesses, what would they do with it ? 
> They have their own business to run.  They are not a software company, 
> you are.
> And if they are big, they will never risk their reputation and their 
> money trying it.
> And, agreeing with another post by Leon, you are probably much better 
> off spending your time improving and supporting your product, than 
> developing ways to try protecting it from unfair copying.
> Things would be different of course if your product was something 
> destined for the mass-market, or if you intend to sell it through 
> resellers, or if your customers are themselves software companies.
> I will not mention the fact that in all of the above cases, your highest 
> level of risk is probably inside, not outside.
> And if you really insist on protecting your code, then I am afraid that 
> Java is not the best choice of tool.
> And I'll finish with another sarcastic note about code obfuscation : in 
> my experience, it is not really necessary to put a lot of effort into 
> this.  Other people's code tends to be naturally obfuscated, all by itself.> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> ***  NOTICE  *
> This message is intended for the use of the individual or entity to which 
> it is addressed and may contain information that is privileged, 
> confidential, and exempt from disclosure under applicable law.  If the 
> reader of this message is not the intended recipient or the employee or 
> agent responsible for delivering this message to the intended recipient, 
> you are hereby notified that any dissemination, distribution, or copying 
> of this communication is strictly prohibited.  If you have received this 
> communication in error, please notify us immediately by reply or by 
> telephone (call us collect at 512-343-9100) and immediately delete this 
> message and all its attachments.
> 
> 

Re: [OT] Securing Tomcat Applications from Reverse Engineering

[André Warnier]

Dmitry Leskov wrote:

So far only some aspects of code protection have been considered in this 
(off-)topic, namely preventing illegal use and protecting the code itself as a 
piece of intellectual property. However, there are at least two other scenarios 
that may make protection against reverse engineering desirable:

- a malicious user inside the organization that runs the application, tampering with the code in order to disrupt its operation, steal sensitive data, and so on. 


- a hacker decompiling a legally obtained trial/demo version of a boxed app, 
looking for security vulnerabilities.

Note that both do not need to comprehend how the entire application works, they only need to learn enough to determine the vector of attack. 


Dmitry

You forgot another one, in the practice much more likely : a disgruntled 
employee *inside the organisation that creates the code*, stealing a 
copy for his own usage.


I believe it all boils down to "there is no one-size-fits-all" solution.
And anything that is done to "protect" the code has its downside in 
terms of ease-of-use, user-friendliness etc..
You can also put 3 separate locks on all the doors of your house, and 
require 3 separate family members to be present to open them, each one 
with his own key.
It all depends, ultimately, on the kind of application, the kind of 
customers, the kind of distribution of the application, the kind of 
employees you have, and so on.










-Original Message-
From:   Jeffrey Janner [SMTP:jeffrey.jan...@polydyne.com]
Sent:   Tuesday, January 26, 2010 12:09 AM
To: Tomcat Users List; Tomcat Users List
Subject:    RE: [OT] Securing Tomcat Applications from Reverse Engineering

Good points all around.  We had the same issues with our CEO worrying about 
copies of the app being passed around when we started targeting markets where 
piracy is fairly common.  Eventually, we convinced him the best way to address 
them was via legal and marketing techniques.  That is, a very tight license and 
convincing the customer that our product provides a unique tactical advantage 
that they would want to give to their competitors. We did make a few technical 
product changes to aid in the license compliance arena, one of which was 
incorporating a license key that is uniquely and obviously tied to the company 
licensing the product and stored along with the data.  The theory being that a 
customer (or his employee) might be willing to fork over a copy of the code, 
but not their proprietary data.
It's not perfect, but it seems to get the job done.

-Original Message-
From: André Warnier [mailto:a...@ice-sa.com] 
Sent: Thursday, January 21, 2010 4:56 PM

To: Tomcat Users List
Subject: Re: [OT] Securing Tomcat Applications from Reverse Engineering

Jeffrey Janner wrote:

André -
Welcome to the world of small business, for-profit software development.
This is a more common attitude that you might be aware.
I was being somewhat ironic.  Being myself a small for-profit software 
development business, I am well aware of the circumstances.

;-)
But here are another few arguments (apart from the ones I already 
mentioned in another post) :
If you are a small software business whose customers are businesses that 
use your product, and your product is good and your prices are 
reasonable, chances are good that none of your customers is even going 
to bother taking the time to try to copy your product.  If they 
themselves are small/medium businesses, what would they do with it ? 
They have their own business to run.  They are not a software company, 
you are.
And if they are big, they will never risk their reputation and their 
money trying it.
And, agreeing with another post by Leon, you are probably much better 
off spending your time improving and supporting your product, than 
developing ways to try protecting it from unfair copying.
Things would be different of course if your product was something 
destined for the mass-market, or if you intend to sell it through 
resellers, or if your customers are themselves software companies.
I will not mention the fact that in all of the above cases, your highest 
level of risk is probably inside, not outside.
And if you really insist on protecting your code, then I am afraid that 
Java is not the best choice of tool.
And I'll finish with another sarcastic note about code obfuscation : in 
my experience, it is not really necessary to put a lot of effort into 
this.  Other people's code tends to be naturally obfuscated, all by itself.> 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



***  NOTICE  *
This message is intended for the use of the individual or entity to which 
it is addressed and may contain information that is priv

RE: [OT] Securing Tomcat Applications from Reverse Engineering

[Dmitry Leskov]

> Dmitry Leskov wrote:
> > So far only some aspects of code protection have been considered in this 
> > (off-)topic, namely preventing illegal use and protecting the code itself 
> > as a piece of intellectual property. However, there are at least two other 
> > scenarios that may make protection against reverse engineering desirable:
> > 
> > - a malicious user inside the organization that runs the application, 
> > tampering with the code in order to disrupt its operation, steal sensitive 
> > data, and so on. 
> > 
> > - a hacker decompiling a legally obtained trial/demo version of a boxed 
> > app, looking for security vulnerabilities.
> > 
> > Note that both do not need to comprehend how the entire application works, 
> > they only need to learn enough to determine the vector of attack. 
> > 
> > Dmitry
> > 
> You forgot another one, in the practice much more likely : a disgruntled 
> employee *inside the organisation that creates the code*, stealing a 
> copy for his own usage.
> 
I think this falls under unfair/illegal use, no?

Here is another product that solves the same problem, but in a different way. 
Their list of scenarios includes five items:

http://www.arxan.com/software-protection-products/java-GuardIt/

Now that I plugged a competing product, we can have a vendor-neutral 
discussion. :)

> I believe it all boils down to "there is no one-size-fits-all" solution.
> And anything that is done to "protect" the code has its downside in 
> terms of ease-of-use, user-friendliness etc..
> 
Sorry, but I cannot fully agree with this one. If you have a bit of time, I 
would greatly appreciate you checking out the following content and telling me 
what exactly is wrong with the ease-of-use and user-friendliness:

http://www.excelsior-usa.com/protect-java-web-applications.html#samples

http://www.excelsior-usa.com/tutorials/jet/eclipse/ 
(this screencast is on protecting Eclipse RCP apps, a very similar one for 
Tomcat is in the works right now.)

> You can also put 3 separate locks on all the doors of your house, and 
> require 3 separate family members to be present to open them, each one 
> with his own key.
> 
I do not see how this is relevant to protection against reverse engineering. 
Perhaps you meant copy protection again: online activation, hardware locks, 
license managers, that kind of stuff?

> It all depends, ultimately, on the kind of application, the kind of 
> customers, the kind of distribution of the application, the kind of 
> employees you have, and so on.
> 
Absolutely. Not everyone needs to protect their Web apps.

Dmitry

> > 
> > 
> >> -Original Message-
> >> From:  Jeffrey Janner [SMTP:jeffrey.jan...@polydyne.com]
> >> Sent:  Tuesday, January 26, 2010 12:09 AM
> >> To:Tomcat Users List; Tomcat Users List
> >> Subject:   RE: [OT] Securing Tomcat Applications from Reverse Engineering
> >>
> >> Good points all around.  We had the same issues with our CEO worrying 
> >> about copies of the app being passed around when we started targeting 
> >> markets where piracy is fairly common.  Eventually, we convinced him the 
> >> best way to address them was via legal and marketing techniques.  That is, 
> >> a very tight license and convincing the customer that our product provides 
> >> a unique tactical advantage that they would want to give to their 
> >> competitors. We did make a few technical product changes to aid in the 
> >> license compliance arena, one of which was incorporating a license key 
> >> that is uniquely and obviously tied to the company licensing the product 
> >> and stored along with the data.  The theory being that a customer (or his 
> >> employee) might be willing to fork over a copy of the code, but not their 
> >> proprietary data.
> >> It's not perfect, but it seems to get the job done.
> >>
> >> -Original Message-
> >> From: André Warnier [mailto:a...@ice-sa.com] 
> >> Sent: Thursday, January 21, 2010 4:56 PM> 
> >> To: Tomcat Users List
> >> Subject: Re: [OT] Securing Tomcat Applications from Reverse Engineering
> >>
> >> Jeffrey Janner wrote:
> >>> André -
> >>> Welcome to the world of small business, for-profit software development.
> >>> This is a more common attitude that you might be aware.
> >> I was being somewhat ironic.  Being myself a small for-profit software 
> >> development business, I am well aware of the circumstances.
> >> ;-)
> >> But here are another few arguments (apart from the ones I already 
> &g

Re: [OT] Re: Securing Tomcat Applications from Reverse Engineering

[Mark H. Wood]

On Thu, Jan 21, 2010 at 03:02:41PM +, Peter Crowther wrote:
> 2010/1/21 Mark H. Wood 
> 
> > Reverse engineering is not a technical problem; it is a legal
> > problem.  You need a lawyer, not a program.
> >
> > Mmm, yes and no.  Burglary is also a legal problem, but I have locks (on /
> around the things I want to keep, of a cost and quality appropriate to my
> expected loss) as well as being able to engage a lawyer if required.

The analogy is imprecise.  If you lease a house to someone, you have
no feasible technical means to control who enters your house -- the
lessee possesses a key and can let in anyone he pleases.  But you could
write a lease which constrains the set of people lessee is permitted
to allow in.  (Dunno why, but you could.)

The house would be useless to lessee without a key.  Similarly a
program, distributed to a user, would be useless unless an
intelligible version can be loaded or derived by the user's equipment.
But if the user's equipment can load or derive an intelligible version
of the program, the program can be reverse-engineered.  That's why
software licenses almost always contain specific language about
reverse engineering.

In both cases the owner has *necessarily* given up technical control
of the property, and can only exert control through legal means.  You
can't stop people abusing property that you hand over to them, but you
may be able to punish them if they do.

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Friends don't let friends publish revisable-form documents.


pgpQk69NLchSH.pgp
Description: PGP signature