Has Zend Source Encryption Been Rendered Useless?

tinkertim asks: "Recently I happened upon this freelance job posting and was intrigued by the domain name suggesting Zend decoding. After looking around a bit and finding the sandbox testing, I realized this is not a gimmick. Reverse engineering used to be a service one had to look for at length, and now there's companies offering it hoping to get on the Google top 10. Obviously - they aren't afraid of lawsuits or police action. If Zend and Source Guardian are so easily broken, are PHP developers wasting their time? Should companies selling scripts just open source them now so they have some control over what seems to be the inevitable release of their code? And what happens when vulnerabilities in popular PHP based billing applications that rely on security via obscurity are found from released decoded source?"

Patent side effects are important here.

[Anonymous Coward]

Yes, you can copyright php source code and achieve a degree of protection.
Copyright in fact originally presumed that you gave the copyright office a clear copy of what was copyrighted, so it would become public domain after a few years. The current distortion that effectively makes copyright last VERY long and that does not require deposit of whole works would tend to guarantee they would eventually disappear, rather than contributing to future utility. In computer software, ever stop to think how many clever programs no longer are available and have sources which were copyrighted but probably exist no more in complete form anywhere? How many wheels have been re-invented (and these days possibly even patented) long after the initial invention?
Technology that makes it impossible to hide sources may not affect the time of copyright, but it would help ensure that such material in some far distant future may become available. Also and more usefully it will provide evidence of inventions which may inhibit slightly the tendency of Johnny come latelies to patent things that have been invented by others long before. Registering something for copyright really ought to do that now but that is another of the areas various governments have conveniently forgotten.

SEO?

[marcsherman]

I can't shake the feeling that this Ask Slashdot article was posted as part of the SEO contract solicited in TFJobPosting.

100% spam

[nacturation]

As someone else pointed out, it's an even bigger non-story. The freelance job posted is asking for someone to promote zendecode.com to the top of Google, MSN, etc. and posting on Slashdot certainly helps. The link to "Zen decoding" just goes to zendecode.com. The "sandbox testing" link goes to the forums on zendecode.com. And finally, the link to "popular PHP-based billing applications" just goes to modernbill.com and doesn't link to any reports of bugs. The whole thing is 100% spam backed by FUD. Whoever submitted this is trying to get the keywords "zen decoding" and "sandbox testing" ranked in search engines as being popular terms for zendecode.com. And they're perhaps trying to promote ModernBill for keywords such as "PHP billing application" as well.
 

Re:DRM

[SanityInAnarchy]

I actually got a response from one company, who called themselves "American Computer Systems". I followed a link from a spam, and they were actually relatively advanced -- they use JavaScript to construct your source from a very long string of alphanumeric characters. At the end, they document.write it. They show this effect off on their homepage. So, I made a textarea in the original page, swapped "document.write(foo)" for "document.(the.text.area).value = foo", then sent it all back to them. Here's the first email I sent them:

Well, that was an interesting little project. Too bad client-side JavaScript will always be vulnerable to a little tweak here and there, and you didn't even bother to crunch the HTML down ahead of time. It is nice, clean, and readable... Why is it you used to play WMA music? Ah, nevermind, wouldn't have worked, I'm on a Mac at the moment.

Really, why do you bother? All this does is provide a fun exercise for people like me. I actually automated the process, just for fun. All this does is make the page completely unreadable to people who don't have JavaScript enabled, and it makes it impossible to save bandwidth by compressing the page, as it's now encrypted. Oh, it does compress, but the compressed version of your encrypted JavaScript is twice as big as the compressed version of the original source.

Anyway, I've found the source code to your main frame, and I've attached it to this email. Now, please stop spamming me, and please find something better to do with your life. And while you're at it, you should read a bit about open source philosophy.

Now that I look at it, I can see why you'd want to keep it a secret. Looks like you're borrowing source code just like everyone else. That's not a bad thing, but everyone else isn't trying to sell a product on the idea of wanting to not share source code. Someone shared their code with you, but you don't want to share back?

Well, if you're going to be that way, I guess I won't give you the source code to the program I have which now decrypts the results of your software.

To my astonishment, I actually got a response. A response somehow defending the position of "encrypting" websites.

Hi David.

Thanks for your message. Is nice to read your opinion.You know there is always a better or faster or cheaper way.
With this program it is the same as with a car. There is no 100% protection, but it help's a lot to lock it.
By the way I dont steal code to produce my websafe. It is 100% maded here. By the way the original code is abt. the same size
as the scrambled one. We dont write code like the one you send me. He is already stripped.

I have seen that your hometown isin the east of the USA. My self I was living quit a while im Maryland. Was a good time David.
Ok I hope I'm not wasting your time.

Thanks for your message.

Erwin

ps. The wma comes back. Just a filesize problem with one of my providers.

Funny, I could swear I saw the WMA bit commented out? Ah, well, I'll give him that one, but this is too fun to stop now...

Erwin Jabor wrote:
> >
> > Hi David.
> >
> > Thanks for your message. Is nice to read your opinion.You know there is
> > always a better or faster or cheaper way.
> > With this program it is the same as with a car. There is no 100%
> > protection, but it help's a lot to lock it.

Only, in this case, I have the equivalent of a master key. You're
better off simply not putting so much value on your HTML design.

> > By the way I dont steal code to produce my websafe. It is 100% maded
> > here.

I meant the code for your website, not your software, and no, it's not.
You actually give credit to the place you got your hit counter and
other such things. I can point it out for you if you like.

The difference is, most w

Re:Lame

[SanityInAnarchy]

A person who is an accomplished lockpick can pick your average brass deadbolt in a few minutes or less... so to them, every lock is effectively papier mache.

Except the difference here is, there are theives who would break in and steal your stuff without also knowing how to pick a deadbolt. Most people who want to steal this source code could do it easily.

What's more, automatic lockpicks don't work yet (as far as I know), nor can you easily build a robot to pick locks, run in, steal stuff, and bring it straight to the pawnshop. This kind of thing is easily possible with this kind of "encryption" (sorry, "protection") -- I can certainly automate the process of Googling for code that looks like it was "protected" this way, "decrypt" it, and email the results to me, figuring that anyone using this probably has something to hide in their PHP -- maybe a vulnerability, even.

In any case, would you feel as confident about this if someone really was selling paper-mache deadbolts? If it really is just a question of magnitude, remember, someone still might be able to decompile code fairly quickly (and crack it to do things it tries to prevent, like making a game run without the CD). Compiling, even just to bytecode (and you can do that with some variants of PHP), is more like a real deadbolt. "Encrypting" is paper-mache, and I don't see how it's even "good enough for most".

Ah, well, at least this is better than the HTML "encryption", which seriously damages the usability of your site, without even slowing down a "hacker" wanting to "steal" your code -- not that you should care about this in HTML, anyway.