Thread: Protection of intellectual property (Schema & SQL code)
I want to develop an application using a database server. But I am concerned that installing it at client's sites will mean that I am potentially exposing my intellectual property to theft. (I'm in Asia where this sort of thing is rife). Would it be true to say that for all database servers (Oracle, SQLServer, PostgreSQL, Interbase etc) it is impossible to absolutely protect the intellectual property contained in the schema design and sql code ( not to mention the data itself)? Is it true that a database backup can always be restored on a different server and thus the administrator can gain complete access to schema, code and all data? If there is a difference in this respect on various server types, is there a "league table" of which offer the best security? Can security be enforced in some way by compelling each user (including administrator) to always have a digital certificate even if using a restored copy on a different server?
Hi Michael, if your concern about theft is really big, you will need to write a second piece aof software. Translate all column names in your scheme to col1, col2, .. and tables to tab1, tab2, .. Of course your SQL need to be adapted. But nobody will ever be able to make a meaning out of that. So reengineering will be really tough. But simple copy will still work. Ulli
mlq@hotmail.com (Michael) writes: > I want to develop an application using a database server. But I am > concerned that installing it at client's sites will mean that I am > potentially exposing my intellectual property to theft. (I'm in Asia > where this sort of thing is rife). In other words you want to create a black box. Information goes in, but it only comes out if you get paid. Such a thing is possible, but only if the customer doesn't get to poke at the box. If they control the hardware, then you are sunk. > Would it be true to say that for all database servers (Oracle, > SQLServer, PostgreSQL, Interbase etc) it is impossible to absolutely > protect the intellectual property contained in the schema design and > sql code ( not to mention the data itself)? Yes, that's basically how things work. PostgreSQL, Oracle, SQL Server, Interbase, and all the rest will happily regurgitate both "your" schema and your customers data. Many of them (like PostgreSQL) will even do it in an easy to edit text format if you ask nicely enough. > Is it true that a database backup can always be restored on a > different server and thus the administrator can gain complete access > to schema, code and all data? Yes that is true. In fact, it is darn handy. Backups that can't be installed on a separate machine aren't backups. > If there is a difference in this respect on various server types, is > there a "league table" of which offer the best security? Security usually means keeping crackers out, not systems administrators. > Can security be enforced in some way by compelling each user > (including administrator) to always have a digital certificate even > if using a restored copy on a different server? With special hardware and special hardware such a thing *might* be possible. For example, the X-Box has been engineered by Microsoft so that only their software will boot on it. Chances are good that there is a loophole or a way to trick the system, however. Chances are also good that your customers won't be interested in a system with backups that can't be installed on another machine. After all, what happens if the primary machine fails? They probably also won't be thrilled by an application that doesn't believe in sharing data. Jason
Actually this technique was also used for Java, (as people were going after the bytecode.) but has been cracked as well. Given ample time and money, say 100s of programmers in Jail or for $1 / day, they will figure you out sooner or later. So perhaps the view should be ... I go so fast that by the time they figure me out, I have obsoleted that very technology. God helps us.... I should've taken econ or something else.... Ulrich Wisser wrote: > Hi Michael, > > if your concern about theft is really big, you will need > to write a second piece aof software. Translate all column > names in your scheme to col1, col2, .. and tables to tab1, tab2, .. > Of course your SQL need to be adapted. But nobody will > ever be able to make a meaning out of that. So reengineering > will be really tough. But simple copy will still work. > > Ulli > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster -- ------------------------------------------------------------------------- Medi Montaseri medi@CyberShell.com Unix Distributed Systems Engineer HTTP://www.CyberShell.com CyberShell Engineering -------------------------------------------------------------------------
I may well be wrong, but I don't think anything I proposed would make the
application any harder to use or administer for the original user. The
database would be normal, no reason not to use standard procedures to
backup and restore it. The front-end would be binary, which only means the
customer wouldn't be able to maintain and extend it themselves. That might
not be acceptable just for that reason, but it's a LONG ways from
installing a back door or remote off switch. All it would do is make it
obvious that this was a product of A Better Company through the names
used... which as I said probably wouldn't do all that much to prevent
copying, truth be told. I suppose the copy-protection on the front end
could be problematic, depending on what's used; I don't recommend anything
that would unduly hinder backups and restores either.
OTOH, there's the question of whether you're trying to market the same
product to dozens of companies, or just developing a custom app. for one
customer. If you're developing a custom app., you could just charge for the
time it takes you to develop it, let them share it with their friends, just
make sure the app has contact info so other users can hire you to enhance
or customize it for them. And at this point I'm NOT talking about just
renaming objects, this is instead of the other proposal.
Wes
P.S. I apologize for the top quoting....
Jason Earl <jason.earl@simplot.com>@xanadu.simplot.com> on 02/21/2002
05:30:44 PM
Sent by: Jason Earl <earlj@xanadu.simplot.com>
To: wsheldah@lexmark.com
cc: Jason Earl <jason.earl@simplot.com>, mlq@hotmail.com (Michael),
pgsql-general@postgresql.org
Subject: Re: [GENERAL] Protection of intellectual property (Schema & SQL
code)
wsheldah@lexmark.com writes:
<snip>
> One thing you could do just to "tag" it would be to add a prefix or
> suffix to all the tables. Say you work for "A Better Company, Inc.",
> then you might name all your tables things like abc_customer and
> abc_order, etc. The only thing that would help with is if you find
> someone else running a copy, it may be easier to prove that it's
> your schema. Of course they could change the names, but they would
> run the risk of breaking functionality if they don't do it right,
> plus you can hardcode the names in your front-end application. If
> you can compile the front-end such that you only provide them with a
> binary executable, it will be that much harder to change the
> names. And you may have better luck using other copy-protection
> mechanisms with the front end.
If you are going to get mean. Why not simply write your application
so that it calls home every once in a while. It can then check your
database to see if its secret serial number is valid, and if it isn't,
or if there is a duplicate it shuts itself down.
Good luck signing customers up for that sort of a deal.
> I wish you well,
I don't. I hate applications that won't share data. I especially
hate applications that require some sort of secret handshake to backup
properly.
As a developer I believe that developers should get paid, but as a
former systems administrator I also believe that applications that
make it hard for an admin to do his or her job are evil. There has
*got* to be a better way to get your customers to pay you.
Jason
On Fri, 2002-02-22 at 15:49, wsheldah@lexmark.com wrote: > > OTOH, there's the question of whether you're trying to market the same > product to dozens of companies, or just developing a custom app. for one > customer. If you're developing a custom app., you could just charge for the > time it takes you to develop it, let them share it with their friends, just > make sure the app has contact info so other users can hire you to enhance > or customize it for them. And at this point I'm NOT talking about just > renaming objects, this is instead of the other proposal. There is always a clause in my contracts that lets me leave a "made by" comment in stuff I make even if I sell the IP rights to the client. And I never write it the same way in each page so that global search/replace doesn't work... Having work stolen is great for the ego. Just make sure you get well paid for it so that it is also great for the bank balance. If you keep IP rights on functions and stuff and if you stumble upon them sue!!! Drag the thief in front of a judge. > P.S. I apologize for the top quoting.... Top quoting is good! Cheers Tony Grant -- RedHat Linux on Sony Vaio C1XD/S http://www.animaproductions.com/linux2.html Macromedia UltraDev with PostgreSQL http://www.animaproductions.com/ultra.html
At 02:27 AM 2/17/02 -0800, Michael wrote: >I want to develop an application using a database server. But I am concerned >that installing it at client's sites will mean that I am potentially >exposing my intellectual property to theft. (I'm in Asia where this sort of >thing is rife). Your software can be copied. >Can security be enforced in some way by compelling each user (including >administrator) to always have a digital certificate even if using a restored >copy on a different server? > If people really want to they can disable the checks on your program. So even if you give each of them an individual cert (signed by your CA) and make the program check the cert or decrypt itself using the results of verifying the cert, people can always step through the program retrieve the decrypted program and remove the checks and voila cracked program. You'd still likely know whose copy was cracked but you can't stop the copying unless as part of it's function the program needs to talk to other entities that require presentation of a _valid_ unrevoked certificate. --- There's one thing to consider tho, even in Asia people at certain market ranges are willing to pay just to know that there can be support and maintenance. At those levels they may not want to pay a lot, but they aren't going to copy your stuff from someone else for free and try to get it to run (the few that are are stupid|nuts|nasty and you don't want to deal with them anyway). That has been my experience so far. Applications with DB's stuck in them typically belong in these market ranges (not all tho). In fact you can often pull the per user/seat license sort of thing without any software controls - the sales people just need to pay friendly visits to them from time to time to see whether their needs have changed (easy sale - they are already using more, so obviously they need+like it :) ). So if your application falls within this range, then I don't think you need to worry too much. But if it's at the consumer end (where support = wall paper music over the phone, maintenance = user self upgrades to next version ), then oh well good luck, maybe your app will be on a CD with a dozen other apps for USD3 at some night bazaar sometime ;)... Regards, Link.