Has Zend Source Encryption Been Rendered Useless? 60
tinkertim asks: "Recently I happened upon this freelance job posting and was intrigued by the domain name suggesting Zend decoding. After looking around a bit and finding the sandbox testing, I realized this is not a gimmick. Reverse engineering used to be a service one had to look for at length, and now there's companies offering it hoping to get on the Google top 10. Obviously - they aren't afraid of lawsuits or police action. If Zend and Source Guardian are so easily broken, are PHP developers wasting their time? Should companies selling scripts just open source them now so they have some control over what seems to be the inevitable release of their code? And what happens when vulnerabilities in popular PHP based billing applications that rely on security via obscurity are found from released decoded source?"
It was useless from conception (Score:5, Informative)
However, there's no reason that "can't obfuscate" should translate into "must open-source". Yeah, you have to provide source, because it's an interpreted language. But the license is whatever you want it to be. There was a time, you know, when most programs came with source, but were under commercial licenses.
Even with compiled languages, source hiding is just lame.
Re:Lame (Score:3, Informative)
This is like somebody going around selling paper-mache deadbolts and telling you about all the horrible things that can happen to your home if you don't buy one. There's an obvious level of dishonesty in selling something and calling it protection (particularly since they go so far as to call it "encryption") when it's fairly trivial to break, and won't protect you against anyone who wants to steal your stuff.
The only thing worse than the criminals themselves are the charlatans who try to foist snake-oil "protection" schemes on unwitting consumers and companies.
ModernBill Security (Score:5, Informative)
We do not rely on security by obscurity on anything but the licensing. There is a difference between _using_ something and _relying upon_ it. We _rely upon_ proven, peer-reviewed, open source libraries to handle credit card encryption. We _use_ obscurity to help protect our "IP" for the same reason people use locks to protect other types of "property". To not make that distinction is polarizing the dichotomy.
Another important dichotomy is the distinction between what is possible and what is accessible. This same distinction needs to be made when arguing for the usefulness of open source. It is of course easier to have the source when you want to understand a program. What the encoder does is make the code less easy to understand. Even in decoded form, it is less easy than having the documented code. It also makes it easier to prove that we were the original author of the code.
That is also why we have unencoded source for most of the code, especially all of the business-specific and display logic that people will likely want to change. We rewrote all of ModernBill over the last year and a half for version 5, which has a front-end for the business-specific and display logic, and a back-end for the business-independent logic. The back-end is encoded to protect our copyright. There is no licensing code in the front-end.
We are active in protecting our clients' and their clients' security. We encourage the gateways we deal with to allow us to use cross-reference IDs to refer to billing account information for recurring charges, so that the billing account information does not need to be retained. We encourage our clients to use all of the security features we make available to them. We have a fraud prevention add-on (that is only an add-on because of the per-lookup charge we incur on our end), and we make it a point to explain why having lower fraud rates is better for everyone because they get better merchant account rates, and avoid chargeback fees. We rewrote the entire application for version 5.0, making many architectural changes to improve security.
For example, we don't use cookies or PHP sessions, avoiding well-known security issues involving those. We lock sessions to IPs. We use an IP whitelist, secret key, and SSL for API access. At the interface level, every hit requires a session ID to be either posted or in the URL, and an action ID determined by an unencoded file, which allows an admin to do whatever they like with the action ID lookups. I will be adding an option to have that be randomized per-session. That is all to make remote exploits more difficult just in case the worst happens and a vulnerability is found. We are not foolishly optimistic.
We have privilege separation by making it possible to separate ModernBill into 4 pieces: the back-end, and the 3 interfaces (admin, client, and order). We don't allow anything encrypted to leave the API, only enter it. All processing of encrypted data must be done by the back-end.
We deal with security issues ethically and promptly. We take security very seriously. We understand that we write billing software in PHP, and that immediately brings concern. ModernBill is not a typical PHP application. It is written in PHP due to its proliferation and portability, not because we are beginnnig programmers who don't know anything else. BTW, you can watch us at http://www.iseedevpeople.com/ [iseedevpeople.com] when we are at the office.
Re:Doesn't Zend filter comments and rename vars? (Score:5, Informative)
Y2\½\7v~sâù=Ãs"...p1ÅZ,á'¼¼--E"lo"ÑÌX;ë÷f(TM)yöz(
o©Z(ê5"*øÏÏÏÎ>:Ï7` ÛÝæt±:&UM"È÷ëåêSW¼nR éf3ýääl±±8&oe7l£0XMwév1;y|...ÊihÉfÑõùj
A Zend Encoded PHP file will not run with a standard PHP install. It requires Zend Optimizer, a free download which allows these files to run. According to the docs Zend Optimizer also makes your PHP scripts run faster, I've not really seen a difference.
Re:DRM (Score:3, Informative)
Re:ModernBill Security (Score:2, Informative)
Of course you take application security seriously, would you have any customers if you didn't? I think the article submitter was implying that you obfuscated your PHP code, which doesn't enhance security in any way. The only gain for obfuscation in a commercial web app is to make it enough of a pain for average users to install the system on multiple hosts without licensing that they bite the proprietry bullet. You know it, I know it and your customers know it.
I think you give the submitter too much credit. Why then would they single out billing software, using the word "rely", and not mention licensing at all? To the submitter, it was all about advocating open source by showing the weekness in encoding, appealing to the security sense of the _users_. That implies that their legitimate use of the software is harmed by the decoding, which implies, just as they said, that we "rely" on it for application security. Otherwise, the argument wouldn't make sense.
The alternative interpretation that you provide is counter to the submitter's argument. If the encoder prevents illegitimate uses, like someone using it to run their multi-million-dollar business for nothing, then it is obviously not useless. We never claim that the encoding is for anything other than preventing illegitimate uses, and is for _our_ benefit. That is the whole point.
BTW: Software is covered by copyright, the authors or there employers hold the copyright on their work. Anybody who talks about protecting 'IP' is obfuscating the issue as 'Intellectual Property' implies ownership and you don't 'own' a copyright, you 'hold' or are assigned a copyright.
All forms of property are imaginary, legal constructs, anyway. Informal language is defined by usage. One could argue the same thing about any form of property, saying that ownership is merely holding the object, and many people actually make that argument, which is actually wrong. The use of the word "hold" also has misleading connotations, but just in a different way. It omits the legal assignment aspect, which you mentioned yourself. At any rate, any of those uses are perfectly valid common usages unless you are in a philosophical debate over the semantics, which we are not.
Anyway, the only clients who say anything about the encoded source issue are the ones who are technically competent enough that they have NDAs with us, and we work with them directly on any issues they have, so they often see the source anyway. We are very open to working with and trusting our legit clients.
We are not some megacorp looking for any way we can screw over our clients. We are a very ethically-minded small business, and we all work hard for reasonable compensation, even the owners. I am a Green Party member who boycotts Wal-Mart, and I can still say that, so it must be true. ;)
Zend Encoder (Score:3, Informative)
Re:Zend Encoder (Score:2, Informative)
My apologies, I should have hit preview first. Here is the formatted version:
Earlier this year we were made aware of sites such as the ones pointed out here that offered commercial services to decript the intellectual property of others. We must stress the illegality of such services, and we will fight such efforts in all ways available to us.
Let's analyze the problem. The vast majority of PHP code is deployed as a web application. In that case, users of the web application have no access to the PHP code - only to the output of these applications (the (X)HTML produced to create the dynamic webpages). The vulnerability discussed in this SlashDot thread therefore does not apply to that scenario.
But the strength of PHP is driving another use of the language. More and more software vendors are creating applications that will be distributed traditionally - by download or CD, and in such cases there is a clear necessity to hide the intellectual property that went into the creation of their application. That is what our Encoder products were designed to make possible.
As pointed out in this debate, any attempt to encode a language is countered by attempts to decode. There is no language that is exempt from this (Google for "[your language] decoder" if you are interested). In the case of PHP, encoders may well encrypt the language that makes up the IP in the application, but at runtime it has to be decrypted to the format that the PHP interpreter can process. Those who are smart enough to snoop into the interpreter can see the straight PHP code being executed. This is true for Zend, IonCube and all others who provide encoding solutions.
The metaphore of using keys to lock your house is applicable. It will not stop the most determined thief, even if it does keep out most of them. And as thiefs become more sophisticated, we want to make our locks more robust.
Zend Technologies has been pursuing an additional strategy of encoding. Today, even if the decoders manage to recreate the code encrypted by our newest product, Zend Guard 4, they will find little if anything that will be meaningful to them. The reason for that is the strong obfuscation that Zend introduced with Zend Guard 4 - it is the first product that obfuscates object oriented programs created with PHP 5.x.
The decoders may be at work to figure out how to reconstruct the original code from this obfuscated code, but they should know that we'll deliver even stronger obfuscation in the 4th quarter of this year. They will have to keep investing time and money to keep up with our development cycle, not to mention figuring out how to make a business out of this illegitimate activity.
====
When the news of the decoders broke earlier this year, we informed all our customers (and former customers) about the situation, what steps to take, and made Guard 4 available to them for free when it shipped in April. Thousands of them have upgraded and are ahead of the decoders today. Through their ongoing relationship with Zend they will stay ahead.
====
So TinkerTim has an option to release his PHP application securely - and if he was a Zend Encoder customer he would have known. If his intent is not that, but instead to promote the decoders, then our message to him is that we will make his life very difficult by continually advancing the encryption technology.
Mark de Visser
Zend Technologies
PS - because of a legal dispute with a European company we had to discontinue the trademark "Zend SafeGuard", and replaced that with "Zend Guard" (we combined the functionality of Zend Encoder and Zend SafeGuard Suite in this new release).