SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,099
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    how does vBulletin protect their scripts

    I have heard that vBulletin can turn off forums if they are illegally installed.

    I want to license some of our software and wondering what is the best way.

    I,m thinking of having some of the scripts phone home to our servers to check if their key is valid (I am guessing this is how vBulletin protects their scripts).
    These would be the admin scripts and will not be in constant use. Would this cause an overhead issue?

    Is there a preferred method to doing this?

    Any and all thoughts welcome.

    Thanks
    Loren
    What I lack in acuracy I make up for in misteaks

  2. #2
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    There are methods, but to be honest they aren't worth it.

    I'm not sure how VBulletin does it (or even IF they do) but the 'phone home' idea is flawed in two major ways:

    1. It means that a request is sent to your server and it waits for the response - this would slow down the user's request to the site running your code
    2. As they have full access to the code, they can simply override the checking mechanism.



    An illustration of the second point, say you have the following function:
    PHP Code:
    function IsLegalCopy(){
        
    $Return file_get_contents('http://auth.yoursite.com/verify.php?code=' AUTHORISATION_CODE);
        if(
    $Return == '1'){
            return 
    true;
        }else{
            return 
    false;
        }

    You could easily just override it with ONE line:
    PHP Code:
    function IsLegalCopy(){
        return 
    true;
        
    $Return file_get_contents('http://auth.yoursite.com/verify.php?code=' AUTHORISATION_CODE);
        if(
    $Return == '1'){
            return 
    true;
        }else{
            return 
    false;
        }

    The request wouldn't even be sent.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  3. #3
    SitePoint Member GVRV's Avatar
    Join Date
    May 2009
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Two questions arise from the reply:
    1) Do they use simple return statements like that? or do they use complicated encrypted keys that can be generated on the fly for verification much like https requests or something?
    2) If you had to protect a PHP script you were selling, how would you do it?

    Thanks a lot!

  4. #4
    SitePoint Addict SirAdrian's Avatar
    Join Date
    Jul 2005
    Location
    Kelowna, BC
    Posts
    289
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    They call home to version.vbulletin.com as it checks for updates in the ACP.
    Adrian Schneider - Web Developer

  5. #5
    <?php while(!sleep()){code();} G.Schuster's Avatar
    Join Date
    Mar 2007
    Location
    Germany
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Um...arkinstall...thought you've been developing PHP for a long time now...shouldn't you know of IonCube and tools like it?

    To answer the original question - use an SSL connection to your server and encrypt the complete communication, e.g. with GPG or something alike.

    @GVRV: 2) IonCube, Zend Guard and tools tike these

  6. #6
    SitePoint Member GVRV's Avatar
    Join Date
    May 2009
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @G.Schuster : Thanks for the quick reply. But both of them are kinda pricey (start at $199 - $600), what would a one man shop starting out do to protect their IP?

  7. #7
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Um...arkinstall...thought you've been developing PHP for a long time now...shouldn't you know of IonCube and tools like it?
    Code encryption is a different arena entirely - and it isn't completely decode-proof.

    Besides, people are much less willing to pay for code that's encrypted - a fact that I've personally tried and proven. The risk of piracy is worth the risk of less sales.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  8. #8
    SitePoint Wizard bronze trophy bluedreamer's Avatar
    Join Date
    Jul 2005
    Location
    Middle England
    Posts
    3,349
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Spending $600 could work out very cheap if software piracy robbed you of $10,000 or more

  9. #9
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,099
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the replies, I have ioncube and only plan on encoding a few key files.

    The goal is to give them access to customize a majority of the scripts but still lock it down to run on our authorized servers.

    I was just wondering about the logic and approach other people use.

    We have an activation key now and is pretty much security by obscurity. We check md5 checksums and a few other tricks and was thinking of something bulletproof.

    If the phone home idea would work, I have 3 servers across the country so that if one went down it would try the others.

    All of our competion either totally encrypts the files or they entirely host the service.

    We can't afford to make it open source but we want to allow access to the bulk of the code and host the servers themselves. (our server DVD download is disabled untill we lock down the license bit)

    We do give 1000&#37; more flexability than any other service and we want to keep it that way.

    Many thank and if you have any more ideas keep them coming.

    They call home to version.vbulletin.com as it checks for updates in the ACP.
    This sounds like what I am looking for

    Cheers
    Loren
    What I lack in acuracy I make up for in misteaks

  10. #10
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Well, make sure core functionality is encrypted too. It's incredibly easy to bypass verification.

    I don't like to use 3rd party code, but sometimes it's a necessity. When I do, and it costs and is paid for, I need to make sure it's quality code - nothing that wasn't thought through fully.

    So, if I get the source code and I CAN bypass verification methods without breaking main functionality, I just get rid of the entire 3rd party application. If it has ONE system that doesn't work properly, there could be alot more issues - and security is always a good area to put under alot of scrutiny.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  11. #11
    SitePoint Guru
    Join Date
    Jun 2006
    Posts
    638
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    All the user has to do is remove the encrypted code, and see what errors show up when they run the page...

  12. #12
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,099
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    There will be no errors other than failed including the encrypted file and nothing will work.
    I have been very careful about that.

    My big question is, how woud you protect your scripts?

    I have thought about the ways around this and my thoughts are have them phone home.

    If there is no key or no internet the scripts are designed to silently fail ( exit; ) ( the system requires the internet ).

    Thanks
    Loren
    What I lack in acuracy I make up for in misteaks

  13. #13
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,196
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by GVRV View Post
    @G.Schuster : Thanks for the quick reply. But both of them are kinda pricey (start at $199 - $600), what would a one man shop starting out do to protect their IP?
    IonCube has an online encrypter where you pay per page you encrypt. If you feel the full price of their encrypter is too steep, create an account and use their online encrypter.

    Quote Originally Posted by arkinstall View Post
    Besides, people are much less willing to pay for code that's encrypted - a fact that I've personally tried and proven. The risk of piracy is worth the risk of less sales.
    Not really, if you deliver a dead solid software people will buy it even if its encrypted. The higher the license fee is, the less people complain that its encrypted.

    Though you have a point, I do believe that selling a software for $50 encrypted is harder than one for $5000 as the customer mass/target is different.

  14. #14
    SitePoint Guru
    Join Date
    Jun 2006
    Posts
    638
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lorenw View Post
    My big question is, how woud you protect your scripts?
    The only way to "protect" them is to run them off your server.

    Example:
    - You sell your site, BUT the site runs on your lib files, those files are on your server, and the client does not have any access to them.

    The trick there:
    - will be slower (wait on your server)
    - you need a few servers (to accommodate all the client's traffic)
    - you need to make it in such a way so the client's website can be modified easily, without the need to touch your API (code on your server)
    - you need to make it in such a way so most the functionality is in your API (on your server)

    All the "encrypted" stuff can be decrypted.
    So, if a client payed 5,000 for your site, chances are:
    - he signed your contract
    - he has money to lose if he break the contract (sue his ***)
    - he has $ to find someone to decrypted your site.

    If you sold it for 50$, then why waste your time with this? that guys probably wasted quite some time to find you with your price, so he will have the time to waste finding a way to decrypt your code (even if the time spent could better be used working for minimum wage and make more $ than on your 50$ 5 min script).


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •