RE: [OT] Securing Tomcat Applications from Reverse Engineering
So far only some aspects of code protection have been considered in this (off-)topic, namely preventing illegal use and protecting the code itself as a piece of intellectual property. However, there are at least two other scenarios that may make protection against reverse engineering desirable: - a malicious user inside the organization that runs the application, tampering with the code in order to disrupt its operation, steal sensitive data, and so on. - a hacker decompiling a legally obtained trial/demo version of a boxed app, looking for security vulnerabilities. Note that both do not need to comprehend how the entire application works, they only need to learn enough to determine the vector of attack. Dmitry -Original Message- From: Jeffrey Janner [SMTP:jeffrey.jan...@polydyne.com] Sent: Tuesday, January 26, 2010 12:09 AM To: Tomcat Users List; Tomcat Users List Subject: RE: [OT] Securing Tomcat Applications from Reverse Engineering Good points all around. We had the same issues with our CEO worrying about copies of the app being passed around when we started targeting markets where piracy is fairly common. Eventually, we convinced him the best way to address them was via legal and marketing techniques. That is, a very tight license and convincing the customer that our product provides a unique tactical advantage that they would want to give to their competitors. We did make a few technical product changes to aid in the license compliance arena, one of which was incorporating a license key that is uniquely and obviously tied to the company licensing the product and stored along with the data. The theory being that a customer (or his employee) might be willing to fork over a copy of the code, but not their proprietary data. It's not perfect, but it seems to get the job done. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, January 21, 2010 4:56 PM To: Tomcat Users List Subject: Re: [OT] Securing Tomcat Applications from Reverse Engineering Jeffrey Janner wrote: André - Welcome to the world of small business, for-profit software development. This is a more common attitude that you might be aware. I was being somewhat ironic. Being myself a small for-profit software development business, I am well aware of the circumstances. ;-) But here are another few arguments (apart from the ones I already mentioned in another post) : If you are a small software business whose customers are businesses that use your product, and your product is good and your prices are reasonable, chances are good that none of your customers is even going to bother taking the time to try to copy your product. If they themselves are small/medium businesses, what would they do with it ? They have their own business to run. They are not a software company, you are. And if they are big, they will never risk their reputation and their money trying it. And, agreeing with another post by Leon, you are probably much better off spending your time improving and supporting your product, than developing ways to try protecting it from unfair copying. Things would be different of course if your product was something destined for the mass-market, or if you intend to sell it through resellers, or if your customers are themselves software companies. I will not mention the fact that in all of the above cases, your highest level of risk is probably inside, not outside. And if you really insist on protecting your code, then I am afraid that Java is not the best choice of tool. And I'll finish with another sarcastic note about code obfuscation : in my experience, it is not really necessary to put a lot of effort into this. Other people's code tends to be naturally obfuscated, all by itself. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments.
Re: [OT] Securing Tomcat Applications from Reverse Engineering
Dmitry Leskov wrote: So far only some aspects of code protection have been considered in this (off-)topic, namely preventing illegal use and protecting the code itself as a piece of intellectual property. However, there are at least two other scenarios that may make protection against reverse engineering desirable: - a malicious user inside the organization that runs the application, tampering with the code in order to disrupt its operation, steal sensitive data, and so on. - a hacker decompiling a legally obtained trial/demo version of a boxed app, looking for security vulnerabilities. Note that both do not need to comprehend how the entire application works, they only need to learn enough to determine the vector of attack. Dmitry You forgot another one, in the practice much more likely : a disgruntled employee *inside the organisation that creates the code*, stealing a copy for his own usage. I believe it all boils down to there is no one-size-fits-all solution. And anything that is done to protect the code has its downside in terms of ease-of-use, user-friendliness etc.. You can also put 3 separate locks on all the doors of your house, and require 3 separate family members to be present to open them, each one with his own key. It all depends, ultimately, on the kind of application, the kind of customers, the kind of distribution of the application, the kind of employees you have, and so on. -Original Message- From: Jeffrey Janner [SMTP:jeffrey.jan...@polydyne.com] Sent: Tuesday, January 26, 2010 12:09 AM To: Tomcat Users List; Tomcat Users List Subject:RE: [OT] Securing Tomcat Applications from Reverse Engineering Good points all around. We had the same issues with our CEO worrying about copies of the app being passed around when we started targeting markets where piracy is fairly common. Eventually, we convinced him the best way to address them was via legal and marketing techniques. That is, a very tight license and convincing the customer that our product provides a unique tactical advantage that they would want to give to their competitors. We did make a few technical product changes to aid in the license compliance arena, one of which was incorporating a license key that is uniquely and obviously tied to the company licensing the product and stored along with the data. The theory being that a customer (or his employee) might be willing to fork over a copy of the code, but not their proprietary data. It's not perfect, but it seems to get the job done. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, January 21, 2010 4:56 PM To: Tomcat Users List Subject: Re: [OT] Securing Tomcat Applications from Reverse Engineering Jeffrey Janner wrote: André - Welcome to the world of small business, for-profit software development. This is a more common attitude that you might be aware. I was being somewhat ironic. Being myself a small for-profit software development business, I am well aware of the circumstances. ;-) But here are another few arguments (apart from the ones I already mentioned in another post) : If you are a small software business whose customers are businesses that use your product, and your product is good and your prices are reasonable, chances are good that none of your customers is even going to bother taking the time to try to copy your product. If they themselves are small/medium businesses, what would they do with it ? They have their own business to run. They are not a software company, you are. And if they are big, they will never risk their reputation and their money trying it. And, agreeing with another post by Leon, you are probably much better off spending your time improving and supporting your product, than developing ways to try protecting it from unfair copying. Things would be different of course if your product was something destined for the mass-market, or if you intend to sell it through resellers, or if your customers are themselves software companies. I will not mention the fact that in all of the above cases, your highest level of risk is probably inside, not outside. And if you really insist on protecting your code, then I am afraid that Java is not the best choice of tool. And I'll finish with another sarcastic note about code obfuscation : in my experience, it is not really necessary to put a lot of effort into this. Other people's code tends to be naturally obfuscated, all by itself. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure
RE: [OT] Securing Tomcat Applications from Reverse Engineering
Dmitry Leskov wrote: So far only some aspects of code protection have been considered in this (off-)topic, namely preventing illegal use and protecting the code itself as a piece of intellectual property. However, there are at least two other scenarios that may make protection against reverse engineering desirable: - a malicious user inside the organization that runs the application, tampering with the code in order to disrupt its operation, steal sensitive data, and so on. - a hacker decompiling a legally obtained trial/demo version of a boxed app, looking for security vulnerabilities. Note that both do not need to comprehend how the entire application works, they only need to learn enough to determine the vector of attack. Dmitry You forgot another one, in the practice much more likely : a disgruntled employee *inside the organisation that creates the code*, stealing a copy for his own usage. I think this falls under unfair/illegal use, no? Here is another product that solves the same problem, but in a different way. Their list of scenarios includes five items: http://www.arxan.com/software-protection-products/java-GuardIt/ Now that I plugged a competing product, we can have a vendor-neutral discussion. :) I believe it all boils down to there is no one-size-fits-all solution. And anything that is done to protect the code has its downside in terms of ease-of-use, user-friendliness etc.. Sorry, but I cannot fully agree with this one. If you have a bit of time, I would greatly appreciate you checking out the following content and telling me what exactly is wrong with the ease-of-use and user-friendliness: http://www.excelsior-usa.com/protect-java-web-applications.html#samples http://www.excelsior-usa.com/tutorials/jet/eclipse/ (this screencast is on protecting Eclipse RCP apps, a very similar one for Tomcat is in the works right now.) You can also put 3 separate locks on all the doors of your house, and require 3 separate family members to be present to open them, each one with his own key. I do not see how this is relevant to protection against reverse engineering. Perhaps you meant copy protection again: online activation, hardware locks, license managers, that kind of stuff? It all depends, ultimately, on the kind of application, the kind of customers, the kind of distribution of the application, the kind of employees you have, and so on. Absolutely. Not everyone needs to protect their Web apps. Dmitry -Original Message- From: Jeffrey Janner [SMTP:jeffrey.jan...@polydyne.com] Sent: Tuesday, January 26, 2010 12:09 AM To:Tomcat Users List; Tomcat Users List Subject: RE: [OT] Securing Tomcat Applications from Reverse Engineering Good points all around. We had the same issues with our CEO worrying about copies of the app being passed around when we started targeting markets where piracy is fairly common. Eventually, we convinced him the best way to address them was via legal and marketing techniques. That is, a very tight license and convincing the customer that our product provides a unique tactical advantage that they would want to give to their competitors. We did make a few technical product changes to aid in the license compliance arena, one of which was incorporating a license key that is uniquely and obviously tied to the company licensing the product and stored along with the data. The theory being that a customer (or his employee) might be willing to fork over a copy of the code, but not their proprietary data. It's not perfect, but it seems to get the job done. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, January 21, 2010 4:56 PM To: Tomcat Users List Subject: Re: [OT] Securing Tomcat Applications from Reverse Engineering Jeffrey Janner wrote: André - Welcome to the world of small business, for-profit software development. This is a more common attitude that you might be aware. I was being somewhat ironic. Being myself a small for-profit software development business, I am well aware of the circumstances. ;-) But here are another few arguments (apart from the ones I already mentioned in another post) : If you are a small software business whose customers are businesses that use your product, and your product is good and your prices are reasonable, chances are good that none of your customers is even going to bother taking the time to try to copy your product. If they themselves are small/medium businesses, what would they do with it ? They have their own business to run. They are not a software company, you are. And if they are big, they will never risk their reputation and their money trying it. And, agreeing with another post by Leon, you are probably much better off spending your time improving
RE: [OT] Securing Tomcat Applications from Reverse Engineering
Good points all around. We had the same issues with our CEO worrying about copies of the app being passed around when we started targeting markets where piracy is fairly common. Eventually, we convinced him the best way to address them was via legal and marketing techniques. That is, a very tight license and convincing the customer that our product provides a unique tactical advantage that they would want to give to their competitors. We did make a few technical product changes to aid in the license compliance arena, one of which was incorporating a license key that is uniquely and obviously tied to the company licensing the product and stored along with the data. The theory being that a customer (or his employee) might be willing to fork over a copy of the code, but not their proprietary data. It's not perfect, but it seems to get the job done. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, January 21, 2010 4:56 PM To: Tomcat Users List Subject: Re: [OT] Securing Tomcat Applications from Reverse Engineering Jeffrey Janner wrote: André - Welcome to the world of small business, for-profit software development. This is a more common attitude that you might be aware. I was being somewhat ironic. Being myself a small for-profit software development business, I am well aware of the circumstances. ;-) But here are another few arguments (apart from the ones I already mentioned in another post) : If you are a small software business whose customers are businesses that use your product, and your product is good and your prices are reasonable, chances are good that none of your customers is even going to bother taking the time to try to copy your product. If they themselves are small/medium businesses, what would they do with it ? They have their own business to run. They are not a software company, you are. And if they are big, they will never risk their reputation and their money trying it. And, agreeing with another post by Leon, you are probably much better off spending your time improving and supporting your product, than developing ways to try protecting it from unfair copying. Things would be different of course if your product was something destined for the mass-market, or if you intend to sell it through resellers, or if your customers are themselves software companies. I will not mention the fact that in all of the above cases, your highest level of risk is probably inside, not outside. And if you really insist on protecting your code, then I am afraid that Java is not the best choice of tool. And I'll finish with another sarcastic note about code obfuscation : in my experience, it is not really necessary to put a lot of effort into this. Other people's code tends to be naturally obfuscated, all by itself. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Hi, Thanks for the info I shall take a look at the new licensing link you have sent. Best Regards, Kranti K K Parisa On Fri, Jan 22, 2010 at 11:17 AM, Dmitry Leskov dles...@excelsior-usa.comwrote: To list owner: I am not sure if vendors are prohibited from posting comments to this list, if they are, let me know and I won't post next time. Excelsior JET is not an IDE that every developer must have on his/her workstation. It is more like a setup generator. Typically, a team of developers working on a particular project would purchase one or two licenses. As a result, the smaller the team, the higher is the price per developer. For small companies, especially for early stage startups that do not yet have paying customers, this surely may be a deal breaker. We have therefore created a special licensing program that has been working very well for our smaller customers since mid-2008: http://www.excelsior-usa.com/store/jetmb.html Please do not hesitate to email me directly if you have any questions. Sincerely, Dmitry Leskov Excelsior LLC P.S. The main information page for Tomcat Web apps protection is http://www.excelsior-usa.com/protect-java-web-applications.html Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti (tm) K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Re: Securing Tomcat Applications from Reverse Engineering
On Thu, Jan 21, 2010 at 03:02:41PM +, Peter Crowther wrote: 2010/1/21 Mark H. Wood mw...@iupui.edu Reverse engineering is not a technical problem; it is a legal problem. You need a lawyer, not a program. Mmm, yes and no. Burglary is also a legal problem, but I have locks (on / around the things I want to keep, of a cost and quality appropriate to my expected loss) as well as being able to engage a lawyer if required. The analogy is imprecise. If you lease a house to someone, you have no feasible technical means to control who enters your house -- the lessee possesses a key and can let in anyone he pleases. But you could write a lease which constrains the set of people lessee is permitted to allow in. (Dunno why, but you could.) The house would be useless to lessee without a key. Similarly a program, distributed to a user, would be useless unless an intelligible version can be loaded or derived by the user's equipment. But if the user's equipment can load or derive an intelligible version of the program, the program can be reverse-engineered. That's why software licenses almost always contain specific language about reverse engineering. In both cases the owner has *necessarily* given up technical control of the property, and can only exert control through legal means. You can't stop people abusing property that you hand over to them, but you may be able to punish them if they do. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpQk69NLchSH.pgp Description: PGP signature
Securing Tomcat Applications from Reverse Engineering
Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Looking forward to hear some ideas for this. http://www.excelsior-usa.com/jetinternals.html Best Regards, Kranti K K Parisa
Re: Securing Tomcat Applications from Reverse Engineering
Do you develop web applications and deliver them to the client, so that they can install your applications on their machines without your access to the machine? Leon 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com: Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Looking forward to hear some ideas for this. http://www.excelsior-usa.com/jetinternals.html Best Regards, Kranti K K Parisa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. That's the company I was aware of; I'm not aware of anyone else who has developed similar technology. No application is ever 100% secure from reverse engineering. So, you have a business decision to take. How good is good enough protection for your application? Who are you defending against, and what kind of effort are you assuming they're willing to put into the reverse-engineering? As pointed out by another poster, you can compile JSPs to classes and you can obfuscate your code. Is that good enough? - Peter
Re: Securing Tomcat Applications from Reverse Engineering
Kranti™ K K Parisa wrote: Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Hi. Open Source software is very nice. But some developers have to make money to live, also. Presumably, if the above product is expensive, it is because it is complex and took a lot of time to develop. Nobody is stopping you from inventing and developing your own method, and you can then also decide to release it as open source or charge for it what you think is the right price. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Securing Tomcat Applications from Reverse Engineering
http://proguard.sourceforge.net/ -Original Message- From: Kranti(tm) K K Parisa [mailto:kranti.par...@gmail.com] Sent: Thursday, January 21, 2010 5:05 AM To: Tomcat Users List Subject: Securing Tomcat Applications from Reverse Engineering Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Looking forward to hear some ideas for this. http://www.excelsior-usa.com/jetinternals.html Best Regards, Kranti K K Parisa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Joseph Morgan wrote: http://proguard.sourceforge.net/ -Original Message- From: Kranti(tm) K K Parisa [mailto:kranti.par...@gmail.com] Sent: Thursday, January 21, 2010 5:05 AM To: Tomcat Users List Subject: Securing Tomcat Applications from Reverse Engineering Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. How much is it worth to you to protect your IP against your estimate of the likely hacker effort to steal it (which only you can judge)? Is it more than the cost of that package? If so, then that package is reasonably priced. If not, then you need to pursue some of the other avenues to protect it that have already been mentioned, such as obfuscation, etc. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Reverse engineering is not a technical problem; it is a legal problem. You need a lawyer, not a program. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpRmc02QIJYG.pgp Description: PGP signature
Re: Securing Tomcat Applications from Reverse Engineering
Hi Leon, That's correct. we develop and deploy on client machines. but we want to secure the code. please suggest. Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 4:45 PM, Leon Rosenberg rosenberg.l...@googlemail.com wrote: Do you develop web applications and deliver them to the client, so that they can install your applications on their machines without your access to the machine? Leon 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com: Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Looking forward to hear some ideas for this. http://www.excelsior-usa.com/jetinternals.html Best Regards, Kranti K K Parisa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Re: Securing Tomcat Applications from Reverse Engineering
2010/1/21 Mark H. Wood mw...@iupui.edu Reverse engineering is not a technical problem; it is a legal problem. You need a lawyer, not a program. Mmm, yes and no. Burglary is also a legal problem, but I have locks (on / around the things I want to keep, of a cost and quality appropriate to my expected loss) as well as being able to engage a lawyer if required. - Peter
Re: Securing Tomcat Applications from Reverse Engineering
Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Hi Kranti - Honestly if the ideas in the product are that valuable anyone who uses the product with a web browser, print screen, and paint can fully mock up the application and send the mockups to development. Anything that is deployed on a server that is out of your control, is exactly that. I understand your need as: To remotely deploy a tomcat application to a customer server. This is the root of the issue. Have you considered a hosted model for delivery? 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Securing Tomcat Applications from Reverse Engineering
Kranti™ K K Parisa wrote: Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) The basic principle is : if you developed it, then it is your code, and it is your decision what you do with it and how you sell it. But do not forget that, more than the code itself, it is generally the quality of the service that you provide to your customers that will matter. But I have another suggestion for you : you indicated this product that would allow to encrypt your code, and mentioned that it was expensive. OK. Now, presumably, these people know why they developed it, and why they charge the price that they do. Why do you not contact them, explain your situation, and ask them to explain why you should pay that price for their product ? They must have arguments, and maybe they will convince you. Or maybe they will offer you a discount. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Hello Kranti, first of all I strongly believe in open source software and don't like to obfuscate things. But well. 1. If you have internet connectivity on the target server you could only deploy a skeleton of your application and load the protect-worthly classes directly from your servers with own classloading with some funny remoteid exchange system. This way even the compile version of the application will never be directly available on customers hard drive (you must consider swapping and memory snapshots, but modern OSes encode them). It's cheap but will probably add a load of complexity, which you have to manage and, logically, your customer have to pay. 2. precompile jsps and use a code obfuscator on the jsps and compiled classes (they replace all private methods and variables with a1,a2, and so on). There are some on the market, more or less good. Use also css/js minifier, they obfuscate as well. 3. create a genial encryption algorithm with some one-time passwords and let the customers call you each time they restart the server for a new password. Maybe charge them per password. The server can then decrypt the classes with the password before it starts the webapp. 4. put the code and tomcat onto a usb stick with unreadable filesystem and hack yourself into the usb protocol. Drawback: you'll have to patch the browsers to accept urls like usb://localhost/yourapp. 5. stop wasting your time and invest it into developing new features and actually selling your product. If its worth copying it will be copied this way or other. So far no one has managed to protect its software against copying, better concentrate on things you really CAN achieve. regards Leon 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com: Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Securing Tomcat Applications from Reverse Engineering
André - Welcome to the world of small business, for-profit software development. This is a more common attitude that you might be aware. Jeff -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, January 21, 2010 5:31 AM To: Tomcat Users List Subject: Re: Securing Tomcat Applications from Reverse Engineering Peter Crowther wrote: 2010/1/21 Kranti(tm) K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Securing Tomcat Applications from Reverse Engineering
Jeffrey Janner wrote: André - Welcome to the world of small business, for-profit software development. This is a more common attitude that you might be aware. I was being somewhat ironic. Being myself a small for-profit software development business, I am well aware of the circumstances. ;-) But here are another few arguments (apart from the ones I already mentioned in another post) : If you are a small software business whose customers are businesses that use your product, and your product is good and your prices are reasonable, chances are good that none of your customers is even going to bother taking the time to try to copy your product. If they themselves are small/medium businesses, what would they do with it ? They have their own business to run. They are not a software company, you are. And if they are big, they will never risk their reputation and their money trying it. And, agreeing with another post by Leon, you are probably much better off spending your time improving and supporting your product, than developing ways to try protecting it from unfair copying. Things would be different of course if your product was something destined for the mass-market, or if you intend to sell it through resellers, or if your customers are themselves software companies. I will not mention the fact that in all of the above cases, your highest level of risk is probably inside, not outside. And if you really insist on protecting your code, then I am afraid that Java is not the best choice of tool. And I'll finish with another sarcastic note about code obfuscation : in my experience, it is not really necessary to put a lot of effort into this. Other people's code tends to be naturally obfuscated, all by itself. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
On 21/01/2010 16:24, Leon Rosenberg wrote: 5. stop wasting your time and invest it into developing new features and actually selling your product. If its worth copying it will be copied this way or other. So far no one has managed to protect its software against copying, better concentrate on things you really CAN achieve. regards Leon I agree with this statement. Legal issues aside, you can expend significant time and effort on protecting your code and a competitor can just copy the style, workflow and application logic with probably about as much effort as it would take to decompile the byte code, tidy it up get their devs to understand how it works. In fact, the latter would probably be *more* effort, and you can't use technical means to defend against the former. If you're really paranoid about your code, don't let it out of your control, run your app as a hosted service, (as previously suggested). As Leon says: focus your efforts on making a truly great product and let other people worry about keeping up with you. p On Thu, Jan 21, 2010 at 5:00 PM, André Warniera...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisakranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Securing Tomcat Applications from Reverse Engineering
To list owner: I am not sure if vendors are prohibited from posting comments to this list, if they are, let me know and I won't post next time. Excelsior JET is not an IDE that every developer must have on his/her workstation. It is more like a setup generator. Typically, a team of developers working on a particular project would purchase one or two licenses. As a result, the smaller the team, the higher is the price per developer. For small companies, especially for early stage startups that do not yet have paying customers, this surely may be a deal breaker. We have therefore created a special licensing program that has been working very well for our smaller customers since mid-2008: http://www.excelsior-usa.com/store/jetmb.html Please do not hesitate to email me directly if you have any questions. Sincerely, Dmitry Leskov Excelsior LLC P.S. The main information page for Tomcat Web apps protection is http://www.excelsior-usa.com/protect-java-web-applications.html Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti (tm) K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Securing Tomcat Applications from Reverse Engineering
The GCC compiler for java allows you to compile java down to native code (AOC - Ahead Of time Compiling). I have never tried it before but it's open source and free to use. That being said I'm not certain that compiling your class files down to native code is going to solve your problem since java web apps are dependent on the class files generated by your application. Unless I'm missing out on some functionality of Tomcat that I'm aware of I think your best bet is obfuscation. Travis Beech -Original Message- From: KrantiT K K Parisa [mailto:kranti.par...@gmail.com] Sent: Thursday, January 21, 2010 3:05 AM To: Tomcat Users List Subject: Securing Tomcat Applications from Reverse Engineering Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Looking forward to hear some ideas for this. http://www.excelsior-usa.com/jetinternals.html Best Regards, Kranti K K Parisa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Hi Leon, Thanks for the notes, may be parallel to our sales we may spend some time on the points you mentioned to protect our selves in the future. Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 9:54 PM, Leon Rosenberg rosenberg.l...@googlemail.com wrote: Hello Kranti, first of all I strongly believe in open source software and don't like to obfuscate things. But well. 1. If you have internet connectivity on the target server you could only deploy a skeleton of your application and load the protect-worthly classes directly from your servers with own classloading with some funny remoteid exchange system. This way even the compile version of the application will never be directly available on customers hard drive (you must consider swapping and memory snapshots, but modern OSes encode them). It's cheap but will probably add a load of complexity, which you have to manage and, logically, your customer have to pay. 2. precompile jsps and use a code obfuscator on the jsps and compiled classes (they replace all private methods and variables with a1,a2, and so on). There are some on the market, more or less good. Use also css/js minifier, they obfuscate as well. 3. create a genial encryption algorithm with some one-time passwords and let the customers call you each time they restart the server for a new password. Maybe charge them per password. The server can then decrypt the classes with the password before it starts the webapp. 4. put the code and tomcat onto a usb stick with unreadable filesystem and hack yourself into the usb protocol. Drawback: you'll have to patch the browsers to accept urls like usb://localhost/yourapp. 5. stop wasting your time and invest it into developing new features and actually selling your product. If its worth copying it will be copied this way or other. So far no one has managed to protect its software against copying, better concentrate on things you really CAN achieve. regards Leon 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com: Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Dmitry Leskov wrote: We have therefore created a special licensing program that has been working very well for our smaller customers since mid-2008: http://www.excelsior-usa.com/store/jetmb.html To the OP : there, you see, a discount ! And you did not even have to ask. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org