...

View Full Version : Can't hide code, but how to protect as best as possible?



ronjon65
03-29-2012, 12:20 AM
I know it is impossible to protect js. Minify and obfuscation don't seem very effective.

But I ran across code like this, which could not be unobfuscated via simple methods. It appears to have non ascii characters (which I didn't know was possible). I would like to know how to create this same effect to help improve my protection. I realize it will not be highly secure, but something should be better than nothing.

A portion of the .js:

`XEnE)J:2\x00dzA\

EDIT: That doesn't work since the forum can only interpret ascii. But in the actual .js there are non ascii characters. What was done to achieve this?

Old Pedant
03-29-2012, 01:11 AM
JavaScript supports unicode. Nothing special about that.

Example:


<script>
var s = "the quick brown fox";
var r = "";
for ( var i = 0; i < s.length; ++i )
{
r += String.fromCharCode(1024 + s.charCodeAt(i));
}
document.write(r);
document.write("<hr/>");

var s2 = "ѴѨѥРѱѵѩѣѫРѢѲѯѷѮРѦѯѸ";
var r2 = "";
for ( var i = 0; i < s2.length; ++i )
{
r2 += String.fromCharCode(s2.charCodeAt(i)-1024);
}
document.write(r2);

</script>

If that string of UTF8 characters doesn't show correctly in your browser, just run the code then copy/paste the result of the first document.write into the s2 quoted string and run it all again.

venegal
03-29-2012, 01:45 AM
But I ran across code like this, which could not be unobfuscated via simple methods.

Whether this obfuscation method makes any sense probably depends on which people you don't want to understand your code. Although UTF8 characters might look rather cryptic to the layman, for anyone savvy enough, this is very simple to beautify: Just step through the code with a debugger at some point that crazy stuff has to be decoded and evaluated, and there you got the plain text.

It's much better to use a tool that tries to actually understand your code and optimize it, like the Google closure compiler. That way, trying to beautify it will still leave you with a bunch of gibberish that's intended for machines, and not for people.

If you're so inclined, you can of course use both methods for maximum obfuscation. If you're using any Javascript framework and you're okay with not serving it from a CDN, putting it in the same file as your actual code before obfuscation helps too.

Also, the forum has no problems displaying UTF8 characters, so something else must have gone wrong there.

ronjon65
03-29-2012, 02:41 AM
Wow, thanks. For now, that only makes me totally confused...but more importantly optimistic that I can protect my code to a greater degree than what jsbeatifier.org can easily unobfuscate.

Is there a "step-by-step" way to take my code and improve the security. I know it won't be perfect, but better than nothing.

Philip M
03-29-2012, 08:54 AM
Wow, thanks. For now, that only makes me totally confused...but more importantly optimistic that I can protect my code to a greater degree than what jsbeatifier.org can easily unobfuscate.

Is there a "step-by-step" way to take my code and improve the security. I know it won't be perfect, but better than nothing.

Do you have a particular reason for believing that your code is so remarkable and unusual that anyone would be interested in stealing it?

felgall
03-29-2012, 09:58 AM
The simplest way to reduce the chances of your code getting stolen is to not obfuscate it at all. There is a whole group of thieves who steal obfuscated code just to prove to one another how clever they are to be able to unobfuscate it.

The next thing to do is to place a copyright notice at the top of the code that identifies how to contact you. That way most people will actually contact you for permission if your code actually is that good that other people want to copy it rather than using the code the experts give away.

rnd me
03-29-2012, 05:38 PM
the best deterrent is simply writing code that nobody wants to steal. It's like keeping a cheap bike to ride and lock up on campus whilst you have a nice one in the garage at home: reduce exposure, reduce desire, and nobody will likely bother.

making good use of ternary and default operators, single-letter private vars, and so on will turn folks away. take this thread for example (http://www.codingforums.com/showthread.php?p=1208778#post1208778): i posted a function that does more, but someone would rather have the "more readable" version that does less. While that was just trying to be fewer bytes, I've found it's pretty easy to scare people away from code if you try.

Mishu
03-29-2012, 11:51 PM
Do you have a particular reason for believing that your code is so remarkable and unusual that anyone would be interested in stealing it?

A lot of newbies and even not so newbies take both remarkable and not remarkable code when it's what they are after because either don't know how to write it themselves or can't be bothered writing it for some reason. I've taken a lot on unremarkable code from the interweb, none of your though ;).

So if you want to deter people from taking your code it's a good idea to at least make it difficult for the newbies.

felgall
03-30-2012, 03:03 AM
So if you want to deter people from taking your code it's a good idea to at least make it difficult for the newbies.

Adding a copyright notice is as difficult as you can make it - there's nothing you can do to prevent them from taking it, all you can do is encourage them to ask first.

Mishu
03-30-2012, 01:40 PM
there's nothing you can do to prevent them from taking it

Read my last post. I never said you can prevent them from taking it. All you can do is make them jump through at least a few hoops to get your code which might stop non tech savvy people. If someone knows what they are doing then of course you can't stop them from taking it. Even I have copied code from other websites regardless of what hurdles are put up infront of me.

Philip M
03-30-2012, 05:19 PM
People who take steps or employ devices which are intended to make it hard for others to copy their code are sending a clear message that they do not wish that to happen, at least without their permission. Obviously that will do nothing to deter the likes of Mishu (and his several pseudonyms), but those who have a moral compass and value their integrity will respect the spirit as well as the letter of the request.

Dishonest behaviour remains just that, even though there is no practical way of preventing it or applying any sanction. People who disregard honesty boxes are cheats. People who take the contents of honesty boxes are thieves.

I do realise that since the spread of the internet many people who are not career criminals are perfectly comfortable with lying, cheating and stealing, the only issue being can you get away with it. It could also be said that the Government often sets a poor example.

ronjon65
03-30-2012, 09:40 PM
Great comments everyone. Here is my strategy and a few answers:

- My code is not impressive at all (in fact, the code is unimpressive). However, it does contain a database of values that took many hours to develop. Essentially there is a script that creates the .js. The end result is what I would like to protect.

- That said, a really great comment was to change the variable names. I can easily make them meaningless variables since the script does not care. This would take a lot more time to interpret and partially deter some.

- I will add the copyright notice. Does anyone have good examples of such a notice?

- I may or may not obfuscate the code. At this point, it probably does not matter and I won't waste energy on it. I think spending the energy on making a better product is probably a better way to improve your overall competitiveness.

- At least I asked the experts and will have peace of mind that I did what I could. The worst is to not even try and find out later that you could have done a better job.

Thanks :)

felgall
03-30-2012, 10:54 PM
Read my last post. I never said you can prevent them from taking it. All you can do is make them jump through at least a few hoops to get your code which might stop non tech savvy people.

All the thieves are tech savvy people. The non-tech savvy people don't know what JavaScript is.

A copyright notice is at least as effective at preventing script theft as anything else you can do.

The number of pages with obfuscated HTML that are stolen is far higher than that of HTML pages that are not obfuscated just because the thieves think they are somehow clever in being able to undo the obfuscation. Because undoing obfuscation of JavaScript involves three or four mouse clicks instead of the one that removing obfuscation from HTML requires they think it is even more clever to be able to steal those scripts.

Take a look at all the really major sites on the web and see how many of them apply any obfuscation whatsoever to their source. If you find on such site in the top thousand I'd be surprised because they know that a simple copyright notice is far more effective at preventing their page content and scripts from being stolen the alternatives.

Also ANY obfuscation is near certain to have your page not work properly for more visitors than without the obfuscation.

The honest people will not steal your content regardless.
The not quite so honest people might steal content without a copyright notice and if caught would claim they thought it was in the public domain.
Those who have searched a long time for a script that does what yours does will contact you to ask permission to use it if there is a copyright notice - they may not know who to ask and might just take it even if it is obfuscated without the notice.
Tech savvy but generally stupid people will deliberately steal obfuscated content just because they think it is clever.
Those who deliberately set out to steal your content will do so regardless of the measures you apply. The copyright notice will make things easier when you take them to court. The non-tech savvy judge may not realise that the obfuscation is even there or that you mistakenly thought that it would discourage theft.

Old Pedant
03-31-2012, 03:58 AM
RonJon: You know if it is the data you are sensitive about, the the best answer is simple: Don't put the data ANYWHERE in the HTML page. Leave it on the server. Use AJAX to retrieve only the values needed at any given time.

Mishu
03-31-2012, 04:02 AM
All the thieves are tech savvy people.

No they are not. I've shown non tech savvy people how to get around some basic, effectively useless, barriers.

An "unwritten rule of thumb" I have seen said in many forums is that if you don't want someone to see it or take it, then don't publish it on the interweb.

felgall
03-31-2012, 04:19 AM
No they are not. I've shown non tech savvy people how to get around some basic, effectively useless, barriers.

As a result of which they are now more tech savvy than they were.


An "unwritten rule of thumb" I have seen said in many forums is that if you don't want someone to see it or take it, then don't publish it on the interweb.

I disagree. I have seen that written in lots of places so it isn't unwritten. It isn't just a rule of thumb either - it is more like the first law of the web.

Mishu
03-31-2012, 04:25 AM
I disagree. I have seen that written in lots of places so it isn't unwritten. It isn't just a rule of thumb either - it is more like the first law of the web.

Who decides on what is a "law of the web" and who enforces any such laws.

If an author sees their work appearing elsewhere without their permission they have the option to sue the person who took it under any appropriate laws and that is the way it should be. If the author can prove the work was actually their own then they might have a case against the person who took the work. But the author proving the work was their own is the hard bit for the author.

Philip M
03-31-2012, 09:23 AM
There is another more powerful law - Do unto others as you would that they did unto you. That means - it is only OK to steal someone's land, bicycle, wife or computer code if you are quite happy for someone else to steal yours.

Mishu seems to think that it is fine to disregard laws or rules which cannot be enforced - it is as though they do not exist. That is what Gaddafi and Assad think as well.

Mishu
03-31-2012, 03:26 PM
Mishu seems to think that it is fine to disregard laws or rules which cannot be enforced

If a "law" cannot be enforced then is it actually a "law"? I see it as a guide line at best. Can you name a government that has ever legislated any laws and then said btw, we can't enforce this legislation? I doubt it. If it can't be enforced then what can it be used for apart from guide lines.

If I copy some code from the interweb, I can't verify if the person I am copying it from actually owns it or not regardless of any copyright or any other notice in the code. Anybody can slap a copy right notice on code or try to make it difficult for someone to copy code whether they actually own the code or not. If someone feels they can prove ownership of any code I have copied then let's settle it in a court - bring it on!! :)

So if anyone wants to copy any code I post anywhere, they are welcome to it and they can unconditionally do what they like with it :)

venegal
03-31-2012, 06:37 PM
Please keep this thread on topic. Discussing the definition of the word "law" isn't terribly helpful.



- My code is not impressive at all (in fact, the code is unimpressive). However, it does contain a database of values that took many hours to develop. Essentially there is a script that creates the .js. The end result is what I would like to protect.


As Old Pedant already mentioned, retrieving that database of values using AJAX might be a good idea. It won't be of any use against people who know how to use their debugging tools, but I suppose there are many people who don't, but who do know how to view the HTML source in their browsers, so at least removing that piece of code from there might make sense for you.



- That said, a really great comment was to change the variable names. I can easily make them meaningless variables since the script does not care. This would take a lot more time to interpret and partially deter some.


I strongly advise against the use of meaningless variable names in your development code. This basically means manual obfuscation, and your development code should never be obfuscated in any way for obvious maintenance reasons.

For your production code, I already suggested using some smart minification tool like the Google closure compiler, which will optimize your code for the use by machines instead of humans which of course includes getting rid of all your verbose variable names.

Take this piece of code, for example:

// This is my valuable data. Please don't steal it!
var myValuableData = {
meaningfulPropertyName: 0,
otherMeaningfulPropertyName: 1
};

// Do something with the valuable data
for (var key in myValuableData) {
alert(myValuableData[key]);
}

Putting it through the closure compiler leaves you with this piece of code:

var a={a:0,b:1},b;for(b in a)alert(a[b]);

Doing this automatically in your production environment is obviously better than manually messing up your development code.



- I will add the copyright notice. Does anyone have good examples of such a notice?


This doesn't have to be anything special the word "Copyright" and your name should suffice. You actually don't need a copyright notice at all all your code is automatically copyrighted (at least in those legal systems I know about). The advantage of sporting a copyright notice is that if someone does infringe on your copyright, the notice will help you prove willful (as opposed to just careless) infringement.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum