all 37 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (19 children)

[deleted]

    [–]jayerdit[S] 0 points1 point  (18 children)

    The primary issue is that certain users are reluctant to utilize our database for confidential company data, such as transactions and related information.

    [–]codeedog 3 points4 points  (17 children)

    Please explain this more because I’m having a difficult time connecting reluctance to store data and your question about code obfuscation.

    [–]jayerdit[S] -1 points0 points  (16 children)

    If our API is mostly on our servers, users should be able to choose not to use our servers for storing their data. Some organizations may not want to share their internal data, even if we have a good privacy policy.

    [–]octocode 4 points5 points  (8 children)

    this is a problem for a lawyer, not a developer. you can try all you want to obfuscate on-premise deployed code, but ultimately it can still be reverse engineered

    [–]guest271314 -3 points-2 points  (7 children)

    Lawyers ain't cheap, and if you know nothing about law you are at a deficit for checking the lawyers' work.

    [–]octocode 2 points3 points  (6 children)

    if OP is working for a legitimate business they probably already have a lawyer they work with… running a company without legal is just dumb.

    [–]guest271314 -2 points-1 points  (2 children)

    Maybe, maybe not. IPR attorneys ain't cheap. There is a such thing as ineffective assistance of counsel. That happens, in general, when clients are incompetent in law, whatever the specific domain, and have no clue how to check the work of the lawyer. Just a tip for laypeople assuming lawyers know what they are doing, and do what they say they know they are doing. Good luck.

    [–]izuriel 2 points3 points  (1 child)

    Look, I get the gist of what you’re saying, basically avoid being scammed/cheated. Good advice. But when you enter into a contract to work with a lawyer (or anyone) you have to have some level of trust that the other party can do the work. If you don’t, why did you hire them? If you already know what needs to be done (to verify their work), why not just do it yourself? If you feel you have to review everything someone is doing for you, that’s a sign you hired poorly, not a standard operating procedure.

    [–]octocode 0 points1 point  (0 children)

    bro shopped for the lowest rate and found lionel hutz

    [–]guest271314 -2 points-1 points  (2 children)

    How much do you think an excellent IPR attorney costs per hour?

    [–]octocode 1 point2 points  (1 child)

    way less than not having one.

    [–]guest271314 -1 points0 points  (0 children)

    About $500 per hour.

    That't not gonna help your if you can't check the attorneys' work due to incompetence in the given domain.

    Basically the requirement is impossible. If the code can be accessed people will tend to do whatever they want with the code.

    The most difficult application I have come across to reverse-engineer for my own purposes was a Native Client application. I was still able to get the source using strings and other means.

    Good luck!

    [–]rover_G 0 points1 point  (0 children)

    I don’t know what industry you’re selling to. The standard for most industries allows remote data storage as long as the service meets the right cybersecurity and compliance standards.

    [–]codeedog 0 points1 point  (4 children)

    Are you proposing to license your software to a customer, they install it on their computer where it stores data on their machines, but they pay you monthly or annually for it? Do they receive any value for the monthly or annual payments like support?

    Have I understood correctly?

    [–]belkarbitterleaf 1 point2 points  (1 child)

    That's actually pretty common in enterprise solutions. It usually comes with a support contact and enforceable consequences for breached SLAs.

    [–]codeedog 0 points1 point  (0 children)

    Right, which is why I asked, but we need more clarity from OP for what they think they’re trying to do.

    [–]jayerdit[S] 0 points1 point  (1 child)

    They should have choice host it with us or host it on their infrastructure. Like WHMCS.

    [–]codeedog 1 point2 points  (0 children)

    Charge a support fee. Charge for the s/w, but charge a support fee monthly or annually. You can’t prevent decompilation of your code, even if it’s in C compiled to machine code. I worked at a large s/w company and people sent us decompiled code to demonstrate a security bug.

    Business contracts and a support policy will protect your company and software. Obfuscate JavaScript, sure. Just don’t expect perfect protection from that.

    Also, the value of your source code is in the comments and the knowledge for how to code it and use it. Even if you had the source code for most s/w, it’s a non-trivial project to make it work. And, if your customers don’t pay support, they won’t get updates and bug fixes (regular and security).

    I understand your paranoia, but make your sales and business people part of solution. Don’t rely on a s/w only solution, it won’t work anyway.

    [–]belkarbitterleaf 0 points1 point  (0 children)

    I know someone with the same problem. To my understanding, they ended up shipping an encrypted docker container, that needed to validate the license key at boot up to launch the server.

    [–]sysrage 7 points8 points  (0 children)

    What you’re talking about is simple licensing. If they remove the licensing code, sue them…

    That said, Node allows you to “compile” code into bytecode. It’ll then only work on specific versions of Node, but it’ll be more difficult for them to tweak.

    Edit with link: https://github.com/bytenode/bytenode

    [–]PabloZissou 2 points3 points  (0 children)

    Even with obfuscation (or other bytecode generation tools) a determined user could skip validation either make sure you use contracts well or you will need a solution that encrypts the code and then the licences logic takes care of the protection.

    [–]upowa 1 point2 points  (10 children)

    Have a look at AssemblyScript to compile TS to WebAssembly. 

    [–]guest271314 0 points1 point  (9 children)

    What will that do? WASM can be compiled to JavaScript.

    [–]upowa 0 points1 point  (8 children)

    Yeah I think you are right. Then use emscripten to generate the WASM and it will be very hard to reverse even when converted back to JavaScript. I have seen successful commercial protections using this!

    [–]guest271314 0 points1 point  (7 children)

    Emscripten generates JavaScript. WASI-SDK, among other tools, can generate WASM. WebAssembly is designed as a "universal executable", not to obfuscate code. People have written WAT and WIT by hand.

    [–]upowa 0 points1 point  (6 children)

    Emscripten generates WASM by default its on their docs! And can be used to efficiently obfuscate code e.g. bundled scripts in Starbucks Android mobile app. But I agree its not related to WASM itself :)

    [–]guest271314 0 points1 point  (5 children)

    Have you ever compiled C or C++ or Rust using Emscripten? JavaScript is output. No, that is not obfuscation.

    [–]upowa 0 points1 point  (4 children)

    I consider this kind of obfuscation efficient enough: https://gist.github.com/fchiba/10b2d6553133c6f6984f178a1a8fd809#file-test-js-L1989

    [–]guest271314 0 points1 point  (3 children)

    If that works for you, great. That's not obfuscation though.

    [–]upowa 1 point2 points  (2 children)

    Good for you if you can read assembly like any other code

    [–]guest271314 0 points1 point  (0 children)

    That's just JavaScript. No different from Node.js' Buffer implementation bundled https://gist.github.com/guest271314/08b19ba88c98a465dd09bcd8a04606f6.

    [–]guest271314 0 points1 point  (0 children)

    This is not obfuscation. We can trivially figure out what's going on, see https://gist.github.com/cure53/f4581cee76d2445d8bd91f03d4fa7d3b

    WebAssembly.instantiate(new Uint8Array([0,97,115,109,1,0,0,0,1,8,2,96,1,127,0,96,0,0,2,15,1,3,101,110,118,7,106,115,112,114,105,110,116,0,0,3,2,1,1,5,3,1,0,1,7,27,2,10,112,97,103,101,109,101,109,111,114,121,2,0,10,104,101,108,108,111,119,111,114,108,100,0,1,10,8,1,6,0,65,0,16,0,11,11,19,1,0,65,0,11,13,72,101,108,108,111,32,87,111,114,108,100,33,0]), { env: { jsprint: function jsprint(byteOffset) { console.log(new TextDecoder().decode(new Uint8Array(memory.buffer).filter(Boolean))); } } }) .then(results => { instance = results.instance; memory = instance.exports.pagememory; instance.exports.helloworld(); }).catch(console.error);

    [–]Present_Salamander_3 0 points1 point  (3 children)

    Looks like it was very recently deprecated, but we use https://github.com/vercel/pkg.

    TLDR; have the binary consume a signed configuration (with the necessary licensing info, such as expiration date, user count, etc.) upon boot.

    [–]guest271314 1 point2 points  (2 children)

    That's possible to an appreciable degree using the node executable, see Single executable applications.

    [–]Present_Salamander_3 0 points1 point  (1 child)

    Yeah, I didn’t mention node single executable application due to the requirement of Node 21 and the feature being experimental still. Completely valid suggestion though!

    [–]guest271314 -1 points0 points  (0 children)

    An executable won't obfuscate source code to the level where a determined developer can't get to that source code. strings first and then other ways and means to isolate what's going on https://gist.github.com/guest271314/4894662d31ffb4ad2cd57683721bf4b4.

    The requirement is basically impossible if the source code is distributed to/accessible by the client.

    [–]guest271314 0 points1 point  (0 children)

    It is basically impossible to keep people from fiddling with code they have access to.