Why Source Code Is Important

Add Your Comments

(Ed. note: We got this from a software developer after we talked a bit about the Microsoft problems. For obvious reasons,
we’ll keep him anonymous)

Here’s what I initially got:

________________

Anyway, I’m a developer, so my take on it is this:
Source code is next to godliness.sn of the
source to a program is reserved only, and I do mean
ONLY, for its creator(s). And not just to protect
secrets, but also to prove ownership and retain
creative control.

By losing control of their sourcecode, MS is in
severely bad hot water. This could bite them in the
a$$ in ways the DOJ couldn’t even begin to conceive
of…

________________

I didn’t quite agree with this, so I asked some questions and got some answers

I don’t quite buy this, at least not to the degree you claim.

The smaller the developer the more critical sourcecode
becomes, especially given how some of the more
unscrupulous developers will duplicate features and
functionality of their competitors and then claim they
came up with feature so-and-so first.

I had it happen to me with regard to one feature on a
program I wrote, but by backups of older sourcecode I
was able to prove I had a specific feature before a
competitor did and torpedoed their claim.

A company sent me a cease-and-desist letter regarding a feature
I implemented in my program a couple years ago,
whereas their product JUST came out with the same
feature.

I responded to that effect and provided the
date I released my program with the disputed feature,
along with a note that I had full source and release
date info to back up my claim and if they wanted to
pursue it I’ll see them in court.

They decided not to
press the issue because they knew I’d have ripped them
to shreds in court – with my sourcecode – and they
would have faced the same exact action they threatened
against me. (They sent me a letter saying they were
dropping the matter, and have dropped the feature from
their software, probably to prevent my giving them a
hard time over the same thing.)

(Side note: Since I write security-related software I
obviously will not be able to disclose the name and
nature of the software I’m referring to.)

Then there’s the issues created by the possibility
that someone could slip a modified version of a MS
product into the mainstream.

If you bought a WinME CD
that was really a well-crafted fake (there was a bust
last year if memory serves, of a pirating operation
that duplicated every part of a retail box – even the
authentic-product certificates!) and it essentially
acted as a big OS-hardcoded trojan horse, what then?
Imagine what would happen to consumer confidence in
MS’ OS products if this were to happen, even on a
small scale? Like I said, the worst-case scenario for
MS losing singular possession of their sourcecode
could be a disaster to them. While I don’t
particularly like how MS does business, I wouldn’t
wish that kind of death on my worst enemy…

In the case of MS, we have a situation where they
can leverage secret knowledge of the OS code for their other products.
I’m inclined to find that not so kosher.

Nothing MS does OS-wise is kosher IMHO. Their OS
products are buggy bloatware and as a result it’s
impossible to make any truly crash-proof software that
runs in Windows. Not only that, but they charge for
everything, even bugfixes (think Win98 Second
Edition.) I’m surprised they don’t sell Service Packs.

Of my programs, 97% of all documented crashes were
from the OS puking for some reason or another – I’m
working on that last 3%, but it looks like a lot of
that 3% comes from drivers.

Ed: Before you holler about that, if MS moved into your
programming turf and came up with a better product than you by taking
advantage of secret Windows hooks, would you say “Great! Thank you for putting
me out of business?”

As I said earlier, I agree with your previous
statement. 😉

The only reason MS can’t develop the same product as a
smaller developer and tank them as a result is the
fact that a smaller developer could claim Copyright
infringement and MS knows that’s a no-win situation.
If MS duplicated my program’s functionality and I took
them to court they’d end up settling out of court for
a seriously large amount of $ to protect their own
interests.

Copyrights on computer programs cover the code as well
as the appearance – if another program duplicated your
functionality too precisely you would have a claim,
and they’d have to break out -their- sourcecode to
prove they didn’t duplicate -your- sourcecode or settle
out-of-court to prevent having to expose their
source code for such a comparison. So either way
they’re screwed – either settle the case or risk
having to reveal trade secrets by submitting their
source code for analysis. Even if your claim was denied
and you lost the damage done to the other developer
would be significant in the long run.

This has a lot to do with why MS tends to buy
companies that make products they want instead of just
developing their own. In the long run it’s cheaper
that way! Smaller software developers give each other
grief over this very issue all the time.

Linux shows that open-source can work to at least
some degree; though probably not enough to be truly viable.

Open-source is great for the quality of the end
product, but it’s hard to make a living off
open-source software. Some companies are doing well
(RedHat, et al) but it’s not easy to give away the
software and make up your profits from services. MS
wants to make $ from all the avenues it can, so they
aren’t big fans of open-source. The unmitigated greed
the company shows is both impressive and disgusting.

Current intellectual property laws just don’t fit
software very well. That’s not to say there shouldn’t be any, just that
we have a different animal here that needs different rules.

You’re right, the current intellectual-property laws
were not intended for the new digital world in any
form, regardless of the medium under discussion. The
recent stink over MP3s (Napster, for example) speaks
volumes.

Unfortunately the folks that make the rules are
clueless or near-clueless about how the Internet
really works. Most lawmakers’ Internet expertise is
limited to checking mail on AOL, and that means
they’re simply unable to make educated decisions on
Internet laws. One can’t write a law that makes sense
about something one has no expertise in. Yet they will
do so anyway, and the results will undoubtedly be
negative.

I don’t really
see how much of a secret you can really have when you can reverse engineer
code. Given enough time and effort, a competitor can figure out just how any
really killer feature works. Sure, that takes time and leaves the creator
with a competitive advantage for a while, and there’s nothing wrong
with that, but they aren’t crown jewels; more like cheese.

Reverse-engineering only gives you part of the
picture. I have trade-secret code in one of my
programs that remains unduplicated by any other
software on Earth, and the same code has been in use
since 1998. It took crackers -ten- -months- just to
break my trialware limitation system (95%+ of all
newly released software is cracked and starts
appearing as warez within a week, and more than half
of the time this happens in -one day-) and my next
release will be several times more secure that that
was.

Any boob can reverse a compiled EXE back to basic
code, but no reverse-engineering technique developed
to date results in a -precise- duplicate of the
original code. There are always subtle changes and
these changes are significant. I reverse-engineer and
decompile everything I write, and I add code
specifically intended to throw off reverse-engineering
efforts, which has a lot to do with why my software
isn’t easy to crack.

It’s possible to have a secretly-written piece of code
remain secret for a surprisingly long time.

(I thought the comments about protecting shareware were really interesting,
so I asked some more, and the results are in Part I.

Email Ed


You indicated it took crackers ten months to break
your trialware protection system, and that most share- or trialware
is far less well protected.

Protection is rudimentary at best for a vast majority
of software products, and most retail-packaged
software employs -no- protection at all, with the
exception of about a third of the games on the market.
(You see protection mostly on CD-based games to
prevent the CD being copied, etc. Nothing at all, or
basic “is it a CD?” checking on all other software
genres.)

Why is that? How much more effort does it take to
come up with a reasonably effective protection scheme? How much does one
affect functionality? Given the near certainty someone’s going to try to crack
it, why is most protected software so easy to break?

It doesn’t take as much effort as it does
understanding. To explain…

Very few programs are considered “uncrackable.” The
reason for this is that most software protection
schemes concentrate the code that checks for
tampering, registration/licensing, etc. into one or a
few locations.

By reverse-engineering the executable,
a cracker can get a good idea where that code is
located (though often not necessarily where exactly
down to the specific byte) and from there simply edit
out the protection code by using a hexadecimal) editor
on the file on disk.

This is most commonly done by
replacing the code with NOP commands (which show as
$00 on a hex editor) so that the program will still
run – it’ll hit the code that was there and skip
through the NOP commands until it finds the next
command to act on. At that point it’s a simple matter
to edit out some code and run the EXE to see if it
works, only without any restrictions.

There are a number of ways to defeat piracy efforts,
such as checking for decompilers/reverse-engineering
programs/execution monitors/etc. in memory (this is
used to stop R.E. programs like SoftICE), checking for
tampering of the executable’s file via CRC checking
(which makes -any- changes in the EXE file obvious),
checking for a specific return value from the
protection code (which makes it so that the cracker
must excise the specific lines precisely to defeat the
protection, making the task a lot harder), adding
dummy code that throws off R.E. efforts (which adds a
layer of confusion to the cracker’s task), and so on.

Most software only uses one or a few basic protective
measures and the tendency is to bunch the code up to
do this in one place. Simply edit out that one place
and poof, cracked EXE. Note how patches are small and
cracked EXEs are only cracked in a few specific
places.

My software lasted so long because it used an ActiveX
control to read from an encrypted datafile and my
program read the control’s results and checked them to
ensure they were valid. The cracker that finally broke
it had to edit both the control and my EXE -at the
same time-, as editing one or the other would not work
unless the edits were byte-specific on both.

My next
release will incorporate several additional protective
measures (including CRC checking to detect ANY edits)
and will cross-link them all, so that any tampering
will be detected immediately.

How do small developers view the whole cracking
phenomenon? Pirated software is the norm in most poorer countries, and
that looks unlikely to change in the foreseeable future. At least a
reasonable argument can be made in those countries that developed-world
software prices are simply too high for most less-developed-world users, and people
either have to steal or do without. Any perspectives from that angle?

To a small developer, cracking their software is
roughly akin to kicking their favorite puppy while
mugging them for $. Not only is it a hit to the psyche to know
that someone peeled off your layers of protection and
broke through your locks, but it then becomes a hit to
the pocketbook because a circulated crack means that
developer suddenly may not ever see registration $ for
that particular product again.

Smaller developers are
much closer to their products financially – most
smaller shareware authors derive at least part of
their active income, their living, from software
registrations and their products being cracked can
hurt them severely. Quite a few go under when their
products are cracked.

Piracy is a necessary evil in a lot of the world due
to exorbitant software pricing structures, but the
argument doesn’t wash for most shareware, which is a
lot cheaper than the retail equivalent with a similar
feature set.

Look at JASC’s Paint Shop Pro at $99.95
vs. Adobe’s Photoshop 5.5 at $650. There are not many
things at all that Photoshop can do that PSP can’t,
plenty of pros use PSP instead of Photoshop because
it’s just an awesome product, and PSP costs 1/6th as
much. I use Photoshop, and yes mine’s legit.

The biggest thing that I hear from pirates to justify
their theft (and let’s face it, we -are- talking about
theft – stealing someone else’s product) is that they
want to make sure it’s not crap before they spend any
$ on it.

While I can see where this is a legitimate
beef, and where I can see that demos often don’t give
you the whole picture (as most are partial at best, or
pitifully crippled at worst), the pirates that never
buy anything they “try” are hypocrites to developers.
I’ve known pirates that brag that they’ve -never-
bought -any- of the software they use.

If you pirated
it, and you like it enough to keep using it, doesn’t
its creator deserve the $ they request for it? Doesn’t
that program’s author deserve to know that he/she/they
did a good enough job on the program that you’re
willing to tell them with a little money? See comments
above regarding smaller shareware authors and how much
they depend on the $ they get form their software.

Since a lot of products fund their own development,
pirating them basically kills any hope of improvement
on the product. If nobody buys it, why would its
author work on it any more?

It’s a weird phenomenon to
watch: An awesome program is cracked, and since it’s
awesome everyone grabs the cracked version and the
author suddenly has no reason to improve it. As a
result it languishes and dies a slow death because it
doesn’t pay for the author to work on it any more.

Most authors I’ve talked to on this subject agree with
me on this: they tend to be okay with their products
being pirated as long as the pirates do eventually
prove that they like the products by -registering- the
products. Anyone else is just a petty thief
effectively stealing money from their pockets.

Shareware authors in particular equate people that
pirate their software and never register it with
muggers on the dirtbag criminal scale as the ultimate
effect or end result is largely the same.

Some software is shareware but never gets any
registrations, usually because there’s no real
incentive to register. mIRC is an excellent example.

How many people use mIRC? Probably 5 million or so.
How many have sent in the requested $20 registration?
ONE. Yes, one person sent K. Mardam Bey a check for
$20. The most popular and most common IRC client on
EARTH and its author has earned a whole, massive
twenty bucks for it.

Why? Simple – he never included any way to force people to decide whether to
register it or not. It never stops working after x
number of days, it is fully functional at all times,
and it politely asks once each startup to be
registered. I’d love to see Mr. Bey set mIRC up to
stop working after 30 days, as he’d rake in the big $
if he did as no Windows IRC client before or since can
do what mIRC does.

People will not act unless forced
to do so. Since he hasn’t forced people on the
registration issue, Mr. Bey will probably never see
more than a trickle of registrations from what is
arguably one of the most popular shareware programs
ever developed. He has, however, created what has
become the de facto standard program for IRC and he
can leverage this to his benefit, but mIRC is
essentially a freebie masquerading as shareware.

Email Ed


Leave a Reply

Your email address will not be published. Required fields are marked *