Protecting my scripts from hackers.
Moderator: General Moderators
Protecting my scripts from hackers.
Okay, I'm working on a script that I plan on releasing commercially. Either subscription based or flat fee.
My issue with this how can I keep my script from being hacked/pirated?
I know encryption is the best bet here, but what else can be done to ensure that my licence check function doesn't get tampered with?
Also, the script will be remote connecting to my DB. How can I keep that info private?
My issue with this how can I keep my script from being hacked/pirated?
I know encryption is the best bet here, but what else can be done to ensure that my licence check function doesn't get tampered with?
Also, the script will be remote connecting to my DB. How can I keep that info private?
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Protecting my scripts from hackers.
On the piracy issue, have the application require a registration key (and connection to your database for authentication). If it's bought by someone you can hope that maybe they have some morality and won't give away their key (and application).spedula wrote:My issue with this how can I keep my script from being hacked/pirated?
You mention encryption. Encrypt the information in your database.spedula wrote:Also, the script will be remote connecting to my DB. How can I keep that info private?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: Protecting my scripts from hackers.
It's not the data in the database I'm worried about so much as my database login credentials that will be in the script.You mention encryption. Encrypt the information in your database.
Re: Protecting my scripts from hackers.
spedula, to answer your question, you cannot prevent but you can deter. The general consensus among experienced developers it to not even try. For example check out this thread, where I recently tried to help someone. They bought a script from a developer like you who thought it would be wise to lock out his own users. Due to that people are telling him to get a refund, and he is also unable to use the script, therefore unlikely to give a word of mouth recommendation.
So let's say 50% of your users pirate your software, but out of those pirates 20% recommend it to 5 friends, and on average 1 of those friends purchases.
1,000 users X $100 per license = $100,000 revenue
50% piracy = $50,000 loss & 200 people telling 5 friends = 1,000 new people find out. With a 1/5 close rate that's 200 sales, so you only technically loose 800 sales for every 1,000 pirates.
Then factor in your time to obscure the code, and also factor in the potential harm it could do to your reputation, consider the fact more experienced developers could easily clone your script but purchase it to save time and realize that depending on your market the majority of the users could feel this way (and then furthermore factor in lost sales due to these lost customers not recommending it to 5 friends). Realize that obfuscation consumes both your, and your customer's valuable time, further lowering the incentive for legitimate purchases, and raising the incentive to pirate it (now you've got all your legit users trying to reverse engineer your script).. talk about unintended consequence.
Long story short, the lifetime value of a customer is way more than double the value of your software, and more than half your users will purchase anyways. They want support, they want to feel contempt they have the "best" software, they want to be immune from legal risk, etc.
Also lets say you sell your software for $100 and some deadbeat Microsoft employee pirates it, I'd rather be pirated by the Microsoft employee than to receive $100. My lawyer would have a field day talking about how much damages I'd be awarded.
So let's say 50% of your users pirate your software, but out of those pirates 20% recommend it to 5 friends, and on average 1 of those friends purchases.
1,000 users X $100 per license = $100,000 revenue
50% piracy = $50,000 loss & 200 people telling 5 friends = 1,000 new people find out. With a 1/5 close rate that's 200 sales, so you only technically loose 800 sales for every 1,000 pirates.
Then factor in your time to obscure the code, and also factor in the potential harm it could do to your reputation, consider the fact more experienced developers could easily clone your script but purchase it to save time and realize that depending on your market the majority of the users could feel this way (and then furthermore factor in lost sales due to these lost customers not recommending it to 5 friends). Realize that obfuscation consumes both your, and your customer's valuable time, further lowering the incentive for legitimate purchases, and raising the incentive to pirate it (now you've got all your legit users trying to reverse engineer your script).. talk about unintended consequence.
Long story short, the lifetime value of a customer is way more than double the value of your software, and more than half your users will purchase anyways. They want support, they want to feel contempt they have the "best" software, they want to be immune from legal risk, etc.
Also lets say you sell your software for $100 and some deadbeat Microsoft employee pirates it, I'd rather be pirated by the Microsoft employee than to receive $100. My lawyer would have a field day talking about how much damages I'd be awarded.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: Protecting my scripts from hackers.
If you really want to protect your code, host it as a service rather than releasing it as an application. You will have to cater to the special needs of your clients if you want to keep them, though.
-
Peter Kelly
- Forum Contributor
- Posts: 143
- Joined: Fri Jan 14, 2011 5:33 pm
- Location: England
- Contact:
Re: Protecting my scripts from hackers.
Maybe use IonCube and put the license script and the database details in a file which is needed in order for the script to work so they cant just get rid of the file or the script will break. But for a license script can you not just ping say your site and then get the page on your site to do the check and depending on what it says echo like valid of invalid and then check what the text says on the script and disable the script depending on the text?
Re: Protecting my scripts from hackers.
Re: Protecting my scripts from hackers.
Thats [expletive deleted] brilliant!Peter Kelly wrote:Maybe use IonCube and put the license script and the database details in a file which is needed in order for the script to work so they cant just get rid of the file or the script will break. But for a license script can you not just ping say your site and then get the page on your site to do the check and depending on what it says echo like valid of invalid and then check what the text says on the script and disable the script depending on the text?
So instead of the script containing the login credentials for mySQL, the page I have on my server will have it and the only info being passed between the two servers is the authentication code and a simple yes/no reply.
This is beyond awesome. Thank you so much for this idea, would have never come up with this myself, +1 internets for you.
-
Peter Kelly
- Forum Contributor
- Posts: 143
- Joined: Fri Jan 14, 2011 5:33 pm
- Location: England
- Contact:
Re: Protecting my scripts from hackers.
I'm glad it helpsspedula wrote:Thats [expletive deleted] brilliant!Peter Kelly wrote:Maybe use IonCube and put the license script and the database details in a file which is needed in order for the script to work so they cant just get rid of the file or the script will break. But for a license script can you not just ping say your site and then get the page on your site to do the check and depending on what it says echo like valid of invalid and then check what the text says on the script and disable the script depending on the text?
So instead of the script containing the login credentials for mySQL, the page I have on my server will have it and the only info being passed between the two servers is the authentication code and a simple yes/no reply.
This is beyond awesome. Thank you so much for this idea, would have never come up with this myself, +1 internets for you.
Re: Protecting my scripts from hackers.
Except IonCube still will not protect you... Just makes it more of a pain for legit users, users can still get the code trust me. 
-
Peter Kelly
- Forum Contributor
- Posts: 143
- Joined: Fri Jan 14, 2011 5:33 pm
- Location: England
- Contact:
Re: Protecting my scripts from hackers.
Ioncube has yet to be cracked, Zendcube has though.josh wrote:Except IonCube still will not protect you... Just makes it more of a pain for legit users, users can still get the code trust me.
Re: Protecting my scripts from hackers.
The byte codes are still in memory and suspect-able to being read out by a hacker. They can then essentially convert that back to the original script just with function & variable names swapped out. If you were using a byte code cache the byte codes could optionally be read from the byte code cache's persistence rather than trying to read out PHP's memory.
Re: Protecting my scripts from hackers.
Jesus, that's getting way to complicated for me to understand. My main concern was script kiddies getting the script for free, lol.josh wrote:The byte codes are still in memory and suspect-able to being read out by a hacker. They can then essentially convert that back to the original script just with function & variable names swapped out. If you were using a byte code cache the byte codes could optionally be read from the byte code cache's persistence rather than trying to read out PHP's memory.
-
Peter Kelly
- Forum Contributor
- Posts: 143
- Joined: Fri Jan 14, 2011 5:33 pm
- Location: England
- Contact:
Re: Protecting my scripts from hackers.
Hehe you did ask how to protect your scripts, he's just gone a little more in-depth than lots of us understand xDspedula wrote:Jesus, that's getting way to complicated for me to understand. My main concern was script kiddies getting the script for free, lol.josh wrote:The byte codes are still in memory and suspect-able to being read out by a hacker. They can then essentially convert that back to the original script just with function & variable names swapped out. If you were using a byte code cache the byte codes could optionally be read from the byte code cache's persistence rather than trying to read out PHP's memory.