Alright, here's the story. I've developed something which is very, very proprietary and worth a considerable amount of money to many people.
I've entered into a new agreement of huge potential with my client. We've already netted several millions from it in the past year. They now demand that it be hosted on their servers (and integrated with several other previously existing programs), of which I will have full access and so will they.
Here's the caveat: I don't trust them. I need to have a few more chips in my favor (other than legal action) should they decide to lock me out and go against on the contract. By the way, I own the code under our agreement.
I need a trap door.
I want to obfuscate or otherwise hide the source (or key, required classes) so that it would be completely useless to them should they force me out or cut me off.
I've thought of a few things:
1.) The obvious obfuscation.
2.) Keeping the key elements on my own server (unbeknown to them), and their server must request them from my server. The problem I see with this is that if my server goes down, so would theirs...not good.
3.) Hiding some sort of time-bomb that requires me (or my server) to reset it at a predefined interval, otherwise it erases key files. The problem: if they found it, they could easily deactivate it.
Obviously, server backups create an issue with #3. But unexpected downtime on my server would cause a problem with #2. I hear that #1 isn't hard to crack...so where does that leave me?
Any suggestions or ideas would be greatly appreciated.
BTW, they are a really big, really rich (and debt free) company with large legal department which is good at getting them out of contracts.
If it's worth that much, have a lawyer create a fairly tight contract. From a technical POV, I guess I'd have the script contact my server for a weekly 'check-in' and , should the requests stop, I'd know something was wrong.
Maybe even base my contract on it.
"For continued use of x, each client application must contact www.xxxxxx.com with a frequency of x per week. Should this frequency not be met, at the discretion of the publisher, the client licensee will be liable for x wonga. Each contact will be chargeable at x wonga."
I do have a pretty good contract (and working on a new one), but I don't feel that it is enough. The company I'm dealing with is very, very wealthy, and I'm not (yet, anyway. ha).
Not only do I need to have some sort of 'check it', but also a way to cripple the site should the partnership come crashing down.
Secondly, I don't want my client to know about it. That would give them time to defuse it before they give me the boot. I would like to be able to use it as an unexpected ransom should they break our agreement.
See, they will have tens of thousands of their customers using it every day. Being able to disrupt that would bring the company to it's knees. The potential for PR damage is huge in that.
I probably sounds like an evil, masterminding jerk, but I'm really not. I'm just looking out for myself and my family.
Last edited by telos; Jul 17, 2009 at 16:11.
Reason: Grammar, typos.
No no, to be fair, being in the industry, you'd be surprised as to how many software vendors I see do similar.*
From experience, 8/10 of those just have a tight contract backing them up. The remaining 2/10 usually just have some of encrypted licence file. Of course, if it can be encrypted, it can be decrypted.**
Maybe not quite indicative of the situation, but my point being, invest your time in a tight contract and not a technical blackmail solution.***
I think you should ask them why they demanded your application to be hosted on their servers. If things worked out pretty well so far, why do the sudden changes? Is it for some improvements to some problems occured all these times? If the demand was for a little improvement, I think you should try to find a way to improve it. Consider to host your application on their server as the last option.
I'm not really sure how safe your position is right now. They have used your application and gained profit in the past year. If you refused to place your application on their server and giving them physical access to it, I doubt that they will all of sudden stop using your service. I also doubt that they will start developing their own because:
1. It surely takes time to develop it.
2. It needs to be tested thoroughly before it could be place on production server to serve requests.
3. It needs to be integrated to replace your application. This is when they will start losing money.
3. It needs maintenance force and fee in the long run.
I don't have much experience dealing with rich companies. But with some I have experience with, they prefer to use third party services rather than to develop and maintain the services on their own. Well, this might not be true so you should try to observe the preference of the company you're dealing with.
I would suggest you not to hide something from them, especially you both are on an agreement. Just be honest and bold about what you want and have in mind.
They want it hosted on their servers because my program is going to be flying their company flag, so to speak.
At first, I was in direct competition with them. They offered a service, I offered a better one. Eventually, all of their subscribers (it's a monthly subscription) left and migrated to mine. It essentially put their service out of business (it's only a very small part of what they do, but lucrative enough for them to notice).
Since then, they offered us a very lucrative deal, but the problem is, there is a lot of changes they want made and they want it completely integrated with the rest of their systems - that's why they want it on their servers.
They surely could develop their own (as they once did), but as you said elantorh, we have the speed to market, testing is done, etc. However, they are bullheaded and slightly egotistical, which is where my distrust stems in the first place.
I'm afraid that an open refusal, as you said plumsauce, would cause them to balk (due to pride, perhaps) - and money is not an object. My own greed is against me, since I have a lot of money to lose if this deal doesn't go through. And when I say a lot, I mean a lot.
I'm just too afraid to openly refuse. That's why I want to do something discreetly (although that could strain the relationship if they found out).
Felgall, is encryption just as strong even if they have root access to the server? I've been reading up on it, but I'm still pretty ignorant on the subject.
I appreciate all of your input, thank you for your replies.
I don't see the need to have your application hosted on their server just because their company flag will be seen on your application. Do you have any idea regarding this? I mean, do they anticipate that people will do some IP block checking?
I assume your application is PHP application (since this is posted under PHP section) and you're thinking of encrypting your source code using another application like ionCube. You should not completely relying on such source code encryption because it could be decrypted.